AST01 — Malicious Skills

Severity: Critical
Platforms Affected: All

Description

Attackers publish skills that appear legitimate but contain hidden malicious payloads — credential stealers, reverse shells, backdoors, or social engineering instructions embedded in SKILL.md prose sections. Because agent skills execute with the full permissions of the host agent, a malicious skill gains immediate access to API keys, SSH credentials, wallet files, browser data, and shell.

Why It’s Unique to Skills

Unlike traditional malicious packages, malicious skills exploit both the code layer (shell scripts, Python calls) and the natural language instruction layer (markdown prose instructing the agent to perform actions). The Snyk ToxicSkills research confirmed that 100% of malicious skills combined both attack vectors.

Real-World Evidence

  • ClawHavoc campaign (Jan 2026): 1,184 malicious skills across 12 publisher accounts, all sharing C2 IP 91.92.242[.]30. Delivered Atomic Stealer (AMOS) targeting macOS crypto wallets, SSH keys, and browser credentials.
  • Five of the top seven most-downloaded ClawHub skills at peak infection were confirmed malware.
  • Three lines of markdown in a SKILL.md file were sufficient to exfiltrate SSH keys (Snyk, Feb 2026).
  • Skills impersonating “Google,” “Solana wallet tracker,” “YouTube Summarize Pro,” and “Polymarket Trader” — all designed to match high-demand searches.
  • A USENIX Security 2026 measurement study analyzed 98,380 skills across public marketplaces and confirmed 157 malicious skills carrying 632 vulnerabilities (avg. 4.03 per skill); 73.2% of malicious skills implemented shadow features hidden from the user, and 54.1% traced to a single publisher cluster (Liu et al., arXiv:2602.06547).

Attack Scenarios

Typosquatting

  • google-workspace vs. gogle-workspace
  • youtube-dl-core vs. legitimate package

Social Engineering Prerequisites

SKILL.md “Prerequisites” section instructs users to copy-paste terminal commands to install “helper tools” from attacker-controlled domains.

ClickFix Prompts

Fake “setup required” dialogs that coerce users into running malicious scripts.

SOUL.md Persistence

Malicious skills write backdoor instructions into the agent’s identity file, surviving skill uninstall.

Memory Poisoning

Skills that inject malicious context into MEMORY.md, causing the agent to execute attacker commands in future sessions.

Identity Cloning and Impersonation

A malicious skill reads and exfiltrates the agent’s identity artifacts — SOUL.md, MEMORY.md, persona definitions, and configuration — so an attacker can replicate the agent’s behavioral state in another environment and impersonate it, or inject a modified persona so the agent acts as a trusted identity while performing privileged actions. Because identity in agentic systems is behavioral and contextual (not just credentials), cloning these files reproduces the agent’s effective identity.

WebSocket Hijacking

Skills that establish persistent WebSocket connections to attacker C2 servers, enabling real-time command execution.

Preventive Mitigations

  1. Require cryptographic signatures (ed25519) on all published skills; reject unsigned installs. Bind each signature to a resolvable, revocable publisher identity (a key id, a publisher identifier such as a domain or did:web, and a published verification key) — not just a bare key — so a compromised signer can be revoked. A signature proves authorship, not safety: a verified publisher can still ship malicious content, so signing composes with behavioral scanning (mitigation 3) and reputation (mitigation 6) rather than replacing them.
  2. Implement Merkle root signing for skill registries.
  3. Scan skills at publish time and at install time using behavioral analysis (not just pattern matching).
  4. Isolate skill execution in containers or sandboxes.
  5. Audit skill actions through structured logging.
  6. Implement skill reputation systems based on community feedback and automated testing.
  7. Protect agent identity artifacts (SOUL.md, MEMORY.md, persona/config files): restrict read and write access, sign or version-control them, and treat any skill request to access them as elevated-risk (see AST03). This limits both persistence backdoors and identity cloning.

Code Example: Signature Verification

import ed25519

def verify_skill_signature(skill_content: str, signature: str, public_key: str) -> bool:
    """Verify ed25519 signature of skill content"""
    try:
        pk = ed25519.VerifyingKey(public_key.encode(), encoding='hex')
        pk.verify(signature.encode(), skill_content.encode(), encoding='hex')
        return True
    except:
        return False

# Usage in registry
def install_skill(skill_path: str, signature: str, pubkey: str):
    with open(skill_path, 'r') as f:
        content = f.read()
    
    if not verify_skill_signature(content, signature, pubkey):
        raise ValueError("Invalid skill signature")
    
    # Proceed with installation

Code Example: Behavioral Sandboxing

import subprocess
import os

def run_skill_in_sandbox(skill_script: str, timeout: int = 30):
    """Execute skill in isolated environment"""
    env = os.environ.copy()
    env['SANDBOX'] = '1'  # Signal sandbox mode
    
    # Run in container or restricted process
    result = subprocess.run(
        ['docker', 'run', '--rm', '--network', 'none', 
         '-v', f'{skill_script}:/skill.sh', 'alpine:latest', 
         'sh', '/skill.sh'],
        capture_output=True,
        timeout=timeout,
        env=env
    )
    
    return result.returncode, result.stdout, result.stderr
  1. Display skill publisher trust level, install count, and scan status in registry UI.
  2. Never auto-execute “Prerequisites” sections without explicit user review.
  3. Hash-pin installed skills and alert on any modification.

OWASP Mapping

  • LLM03 (Supply Chain)
  • LLM01 (Prompt Injection - indirect)
  • ASVS V14 (Configuration)

MAESTRO Framework Mapping

The Cloud Security Alliance (CSA) MAESTRO framework provides a structured threat modeling approach for agentic AI systems across 7 layers:

MAESTRO Layer Layer Name AST01 Mapping
Layer 7 Agent Ecosystem Registry compromise, marketplace manipulation, agent impersonation
Layer 3 Agent Frameworks Compromised components, supply chain attacks
Layer 6 Security & Compliance Access controls, policy enforcement
Layer 4 Deployment & Infrastructure Container tampering, runtime environment security
Layer 5 Evaluation & Observability Detection evasion, metric manipulation

MAESTRO Layer Details

Layer 7: Agent Ecosystem - Primary mapping for AST01

  • Malicious skills published to registries (ClawHub, skills.sh)
  • Marketplace manipulation through typosquatting and brand impersonation
  • Agent impersonation attacks via fake “Google,” “Solana wallet tracker” skills
  • Registry compromise enabling coordinated malicious skill campaigns

Layer 3: Agent Frameworks

  • Compromised skill components within agent frameworks (OpenClaw, Claude Code, Cursor)
  • Supply chain attacks through skill dependencies
  • Prompt injection within skill instructions

Layer 6: Security & Compliance

  • Access control failures allowing malicious skills to execute with full permissions
  • Policy enforcement gaps in skill registries

Layer 4: Deployment & Infrastructure

  • Runtime environment security for skill execution
  • Container tampering through malicious skill payloads

Layer 5: Evaluation & Observability

  • Detection evasion through obfuscated malicious instructions
  • Metric manipulation to bypass security scanning

Platform-Specific Mitigation Guides

OpenClaw Platform

Registry Security

  • Enable “Verified Publisher” requirement for all skill installations
  • Use ClawHub’s built-in malware scanning before installation
  • Review skill permissions in the installation dialog

Skill Development

# Example: Secure SKILL.md structure
name: "Secure File Backup"
version: "1.0.0"
publisher: "trusted-org"
signature: "ed25519_signature_here"

permissions:
  - filesystem:read
  - network:outbound

instructions: |
  This skill securely backs up files to a designated location.
  Never executes arbitrary commands or accesses sensitive data.

Runtime Protection

  • Run skills in isolated containers using ClawSandbox
  • Monitor skill execution logs for suspicious patterns
  • Implement skill execution timeouts

Claude Code Platform

Skill Validation

  • Use Claude’s built-in skill validator before publishing
  • Implement signature verification for all skills
  • Review skill code for injection vulnerabilities

Code Example: Secure Claude Skill

{
  "name": "Secure Data Processor",
  "version": "1.0.0",
  "permissions": ["read_files", "write_temp"],
  "tools": [
    {
      "name": "process_data",
      "description": "Securely process user data",
      "parameters": {
        "input_file": {"type": "string", "description": "Input file path"}
      }
    }
  ],
  "security": {
    "signature_required": true,
    "sandboxed_execution": true
  }
}

Best Practices

  • Avoid dynamic code execution in skills
  • Use parameterized inputs only
  • Implement proper error handling

Cursor Platform

Manifest Security

{
  "name": "Secure Code Assistant",
  "version": "1.0.0",
  "publisher": "verified-publisher",
  "permissions": {
    "filesystem": "read-only",
    "network": "outbound-only"
  },
  "security": {
    "requireSignature": true,
    "sandbox": true,
    "auditLog": true
  }
}

Development Guidelines

  • Use Cursor’s security linter during development
  • Test skills in isolated environments
  • Document all permission requirements clearly

VS Code Platform

Extension Security

  • Follow VS Code extension security guidelines
  • Use proper manifest declarations
  • Implement content security policies

Code Example: Secure VS Code Skill

{
  "name": "secure-skill",
  "version": "1.0.0",
  "publisher": "trusted-publisher",
  "engines": {
    "vscode": "^1.70.0"
  },
  "permissions": ["workspace", "commands"],
  "security": {
    "enablement": "workspaceTrust",
    "supportedEnvironments": ["desktop"]
  }
}

Deployment Checklist

  • Code signed with verified certificate
  • Security review completed
  • Permissions minimized
  • Sandbox testing passed
  • Audit logging enabled

Cross-Platform Best Practices

Skill Publisher Responsibilities

  1. Code Signing: All skills must be cryptographically signed
  2. Minimal Permissions: Request only necessary permissions
  3. Clear Documentation: Document all functionality and security measures
  4. Regular Updates: Maintain and patch security vulnerabilities
  5. Transparency: Disclose data collection and processing practices

Platform Operator Responsibilities

  1. Automated Scanning: Implement malware detection for all skills
  2. Publisher Verification: Verify publisher identities
  3. User Warnings: Alert users to high-risk permissions
  4. Incident Response: Rapid removal of malicious skills
  5. Community Feedback: Allow user reporting of suspicious skills

User Responsibilities

  1. Source Verification: Only install from trusted publishers
  2. Permission Review: Understand what permissions are granted
  3. Regular Audits: Review installed skills periodically
  4. Report Suspicious Activity: Report potential security issues
  5. Keep Updated: Use latest platform versions with security fixes

Reference Materials

Malicious Skill Analysis Framework

When analyzing suspected malicious skills, follow this systematic approach:

  1. Static Analysis
    • Review SKILL.md for suspicious instructions
    • Check for obfuscated code or unusual YAML structures
    • Validate signature against known publisher keys
  2. Dynamic Analysis
    • Execute in isolated sandbox environment
    • Monitor file system, network, and process activity
    • Check for persistence mechanisms (SOUL.md, MEMORY.md modifications)
  3. Behavioral Indicators
    • Unusual network connections
    • File exfiltration attempts
    • Shell command execution beyond stated function
    • Memory or identity file modifications

Detection Signatures

Common patterns in malicious skills:

  • Base64-encoded payloads in YAML comments
  • Instructions to download from non-HTTPS URLs
  • Requests for excessive permissions (write to identity files)
  • Typosquatting of popular service names
  • Social engineering prompts (“Run this command to enable…”)

Incident Response Checklist

For confirmed malicious skill incidents:

  • Isolate affected agents
  • Revoke compromised credentials
  • Scan for lateral movement
  • Notify skill registry
  • Update detection signatures
  • Review installation approval processes

References


Last updated: March 2026


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.


Leadership & Founding Members

Project Leadership

Current Leaders

Ken Huang

Ken Huang

Hammad Atta

Hammad Atta

Fabio Cerullo

Fabio Cerullo

Aonan Guan

Aonan Guan

Bhavya Gupta

Bhavya Gupta

Niv Hoffman

Niv Hoffman

Iftach Orr

Iftach Orr

Akram Sheriff

Akram Sheriff

AIVSS Distinguished Review Board

The OWASP AIVSS project’s Distinguished Review Board comprises world-renowned cybersecurity leaders, former government officials, and industry pioneers who provide strategic guidance and expert oversight for the AI Vulnerability Scoring System framework. We thank them for their guidance, several of whom have also supported this project’s work.

Rob Joyce

Rob Joyce

Advisor to PwC and OpenAI, Former Special Assistant to the President and Cybersecurity Coordinator

Jason Clinton

Jason Clinton

Deputy CISO, Anthropic

Amy R. Steagall

Amy R. Steagall

Chief Information Security Officer, Stanford University

Martin Stanley

Martin Stanley

AI Risk Management Framework Lead, NIST

Apostol Vassilev

Apostol Vassilev

Research Supervisor, NIST

Andrew Coyne

Andrew Coyne

CISO, Banner Health, Former CISO, Mayo Clinic

Kevin Rocque

Kevin Rocque

Managing Director/Executive Vice President, Global Technology Risk Officer, TD Bank

Jeff Williams

Jeff Williams

Former Global OWASP Chair, Founder and CTO, Contrast Security

Michael Tran Duff

Michael Tran Duff

University Chief Information Security and Data Privacy Officer, Harvard University

Emil Bender Lassen

Emil Bender Lassen

Standards Lead, AIUC-1

Agentic Skills Top 10 Founding Members

Founding members of the OWASP Agentic Skills Top 10 project itself — project leads, co-leads, and additional contributors — listed alphabetically. Several also contribute to the sibling OWASP AIVSS project listed above.

Ken Huang

Ken Huang

Project Lead, Agentic Skills Top 10

Hammad Atta

Hammad Atta

Co-Lead, Agentic Skills Top 10

Manish Bhatt

Manish Bhatt

Security Researcher, AWS

Fabio Cerullo

Fabio Cerullo

Co-Lead, Agentic Skills Top 10

David Girard

David Girard

Senior Director, AI Security & AI Alliances, Trend Micro

Aonan Guan

Aonan Guan

Co-Lead, Agentic Skills Top 10

Bhavya Gupta

Bhavya Gupta

Co-Lead, Agentic Skills Top 10

Pamela Gupta

Pamela Gupta

Founder & CEO, OutSecure / Trusted AI

Idan Habler

Idan Habler

Staff AI/ML Security Researcher, Intuit

Niv Hoffman

Niv Hoffman

CTO, Air Security

Charles Iheagwara

Charles Iheagwara

AI/ML Security Leader, AstraZeneca

Sushmitha Janapareddy

Sushmitha Janapareddy

Director - Security Integrations, American Express

Edward Lee

Edward Lee

Vice President, Lead AI Security, JP Morgan

KJ Lian

KJ Lian

Senior Manager, Data & AI (Public Sector), AWS

Vineeth Sai Narajala

Vineeth Sai Narajala

Application Security, AWS

Iftach Orr

Iftach Orr

Co-Lead, Agentic Skills Top 10

Kanna Sekar

Kanna Sekar

Cyber Security, Google

Akram Sheriff

Akram Sheriff

Co-Lead, Agentic Skills Top 10

Dennis Xu

Dennis Xu

Research VP, AI, Gartner

OWASP AIVSS Founding Members

The OWASP AIVSS (Agentic AI Vulnerability Scoring System) project is a sibling OWASP initiative focused on scoring the severity of agentic AI vulnerabilities. Its founding members are recognized here as OWASP founding members in the agentic AI security space; many of them have also contributed directly to the Agentic Skills Top 10 project’s research and review process.

Sunil Agrawal

Sunil Agrawal

Chief Information Security Officer, Glean

David Ames

David Ames

Partner, PwC

Michael Bargury

Michael Bargury

Founder and CTO, Zenity

Joshua Beck

Joshua Beck

Application Security Architect, SAS

Manish Bhatt

Manish Bhatt

Security Researcher, Amazon Kuiper Security

Mark Breitenbach

Mark Breitenbach

Security Engineer, Dropbox

Anat Bremler-Barr

Anat Bremler-Barr

Professor of Computer Science, Tel Aviv University

Siah Burke

Siah Burke

HIPAA Security Officer, Siah.ai

David Campbell

David Campbell

AI Security, Scale AI

Ying-Jung Chen

Ying-Jung Chen

AI safety researcher, PhD, Georgia Institute of Technology

Anton Chuvakin

Anton Chuvakin

Security Solution Strategy, Google

Jason Clinton

Jason Clinton

CISO, Anthorphic

Adam Dawson

Adam Dawson

Staff AI Security Researcher, Dreadnode

Leon Derczynski

Leon Derczynski

Principal Research Scientist, NVIDIA

Walker Lee Dimon

Walker Lee Dimon

AI Security Researcher, MITRE

Marissa Dotter

Marissa Dotter

AI Security Researcher, MITRE

Dan Goldberg

Dan Goldberg

ISO Market Lead, Omnicom

David Haber

David Haber

CEO, Lakera

Idan Habler

Idan Habler

Staff AI/ML Security Researcher, Intuit

Jason Haddix

Jason Haddix

Founder, Arcanum Information Security

Keith Hoodlet

Keith Hoodlet

Director of AI/ML & AppSec, Trail of Bits

Ken Huang

Ken Huang

AIVSS Project Lead, OWASP

Chris Hughes

Chris Hughes

CEO, Aquia

Charles Iheagwara

Charles Iheagwara

AI/ML Security Leader, AstraZeneca

Krystal Jackson

Krystal Jackson

Researcher, Center for Long-Term Cybersecurity, UC Berkeley

Sushmitha Janapareddy

Sushmitha Janapareddy

Director - Security Integrations, American Express

Rob Joyce

Rob Joyce

Former Cybersecurity Director of NSA, Advisor to PwC, PwC

Diana Kelley

Diana Kelley

CISO, Noma Security

Prashant Kulkarni

Prashant Kulkarni

Lead AI Security Research Engineer, Google Cloud

Mahesh Lambe

Mahesh Lambe

Founder, MIT, Unify Dynamics

Edward Lee

Edward Lee

Vice President, Lead AI Security, JP Morgan

Nate Lee

Nate Lee

CEO, Cloudsec.ai

Vishwas Manral

Vishwas Manral

CEO, Precize.ai

Daniela Muhaj

Daniela Muhaj

Executive-in-Residence for Research & Development, AI 2030

Vineeth Sai Narajala

Vineeth Sai Narajala

Application Security, AWS

Om Narayan

Om Narayan

AI Security Researcher, AWS

Varun Pant

Varun Pant

Engineering and Product Leader, AI applications at the Automated Reasoning Group, AWS

Advait Patel

Advait Patel

Senior Site Reliability Engineer (DevSecOps + Cloud + AIOps), Broadcom, IEEE

Alex Polyakov

Alex Polyakov

CEO, adversa.ai

Ramesh Raskar

Ramesh Raskar

Professor & Director, MIT Media Lab

Ron F. Del Rosario

Ron F. Del Rosario

VP-Head of AI Security, SAP

Tal Shapira

Tal Shapira

Co-Founder & CTO, Reco AI

Akram Sheriff

Akram Sheriff

Senior AI/ML Software Engineering Leader, Cisco

Samantha Siau

Samantha Siau

Security and Compliance, Anthropic

Kevin Simmonds

Kevin Simmonds

Partner on AI Offensive Security, PWC

Martin Stanley

Martin Stanley

NIST AI RMF Lead, Independent

Omar A. Turner

Omar A. Turner

General Manager of Security, Microsoft

Apostol Vassilev

Apostol Vassilev

AI Research Team Supervisor, NIST

Matthew Versaggi

Matthew Versaggi

AI Fellow, White House Presidential Innovation Fellow

David Webb

David Webb

Agency Cybersecurity Officer, Cybersecurity and Infrastructure Security Agency

Dennis Xu

Dennis Xu

Research VP, AI, Gartner

Xiaochen Zhang

Xiaochen Zhang

Executive Director and Chief Responsible AI Officer, AI 2030

Recognition

We extend our gratitude to all founding members who have contributed to establishing this crucial framework for AI security assessment. Their vision and dedication have been instrumental in shaping the Agentic Skills Top 10 project.

Get Involved

Interested in contributing to the Agentic Skills Top 10 project? We welcome new contributors and leaders. Please see our Contribution Guidelines for more information on how to get involved.