AST01 — Malicious Skills
Severity: Critical
Platforms Affected: All
Description
Attackers publish skills that appear legitimate but contain hidden malicious payloads — credential stealers, reverse shells, backdoors, or social engineering instructions embedded in SKILL.md prose sections. Because agent skills execute with the full permissions of the host agent, a malicious skill gains immediate access to API keys, SSH credentials, wallet files, browser data, and shell.
Why It’s Unique to Skills
Unlike traditional malicious packages, malicious skills exploit both the code layer (shell scripts, Python calls) and the natural language instruction layer (markdown prose instructing the agent to perform actions). The Snyk ToxicSkills research confirmed that 100% of malicious skills combined both attack vectors.
Real-World Evidence
- ClawHavoc campaign (Jan 2026): 1,184 malicious skills across 12 publisher accounts, all sharing C2 IP
91.92.242[.]30. Delivered Atomic Stealer (AMOS) targeting macOS crypto wallets, SSH keys, and browser credentials. - Five of the top seven most-downloaded ClawHub skills at peak infection were confirmed malware.
- Three lines of markdown in a
SKILL.mdfile were sufficient to exfiltrate SSH keys (Snyk, Feb 2026). - Skills impersonating “Google,” “Solana wallet tracker,” “YouTube Summarize Pro,” and “Polymarket Trader” — all designed to match high-demand searches.
- A USENIX Security 2026 measurement study analyzed 98,380 skills across public marketplaces and confirmed 157 malicious skills carrying 632 vulnerabilities (avg. 4.03 per skill); 73.2% of malicious skills implemented shadow features hidden from the user, and 54.1% traced to a single publisher cluster (Liu et al., arXiv:2602.06547).
Attack Scenarios
Typosquatting
google-workspacevs.gogle-workspaceyoutube-dl-corevs. legitimate package
Social Engineering Prerequisites
SKILL.md “Prerequisites” section instructs users to copy-paste terminal commands to install “helper tools” from attacker-controlled domains.
ClickFix Prompts
Fake “setup required” dialogs that coerce users into running malicious scripts.
SOUL.md Persistence
Malicious skills write backdoor instructions into the agent’s identity file, surviving skill uninstall.
Memory Poisoning
Skills that inject malicious context into MEMORY.md, causing the agent to execute attacker commands in future sessions.
Identity Cloning and Impersonation
A malicious skill reads and exfiltrates the agent’s identity artifacts — SOUL.md, MEMORY.md, persona definitions, and configuration — so an attacker can replicate the agent’s behavioral state in another environment and impersonate it, or inject a modified persona so the agent acts as a trusted identity while performing privileged actions. Because identity in agentic systems is behavioral and contextual (not just credentials), cloning these files reproduces the agent’s effective identity.
WebSocket Hijacking
Skills that establish persistent WebSocket connections to attacker C2 servers, enabling real-time command execution.
Preventive Mitigations
- Require cryptographic signatures (ed25519) on all published skills; reject unsigned installs. Bind each signature to a resolvable, revocable publisher identity (a key id, a publisher identifier such as a domain or
did:web, and a published verification key) — not just a bare key — so a compromised signer can be revoked. A signature proves authorship, not safety: a verified publisher can still ship malicious content, so signing composes with behavioral scanning (mitigation 3) and reputation (mitigation 6) rather than replacing them. - Implement Merkle root signing for skill registries.
- Scan skills at publish time and at install time using behavioral analysis (not just pattern matching).
- Isolate skill execution in containers or sandboxes.
- Audit skill actions through structured logging.
- Implement skill reputation systems based on community feedback and automated testing.
- Protect agent identity artifacts (
SOUL.md,MEMORY.md, persona/config files): restrict read and write access, sign or version-control them, and treat any skill request to access them as elevated-risk (see AST03). This limits both persistence backdoors and identity cloning.
Code Example: Signature Verification
import ed25519
def verify_skill_signature(skill_content: str, signature: str, public_key: str) -> bool:
"""Verify ed25519 signature of skill content"""
try:
pk = ed25519.VerifyingKey(public_key.encode(), encoding='hex')
pk.verify(signature.encode(), skill_content.encode(), encoding='hex')
return True
except:
return False
# Usage in registry
def install_skill(skill_path: str, signature: str, pubkey: str):
with open(skill_path, 'r') as f:
content = f.read()
if not verify_skill_signature(content, signature, pubkey):
raise ValueError("Invalid skill signature")
# Proceed with installation
Code Example: Behavioral Sandboxing
import subprocess
import os
def run_skill_in_sandbox(skill_script: str, timeout: int = 30):
"""Execute skill in isolated environment"""
env = os.environ.copy()
env['SANDBOX'] = '1' # Signal sandbox mode
# Run in container or restricted process
result = subprocess.run(
['docker', 'run', '--rm', '--network', 'none',
'-v', f'{skill_script}:/skill.sh', 'alpine:latest',
'sh', '/skill.sh'],
capture_output=True,
timeout=timeout,
env=env
)
return result.returncode, result.stdout, result.stderr
- Display skill publisher trust level, install count, and scan status in registry UI.
- Never auto-execute “Prerequisites” sections without explicit user review.
- Hash-pin installed skills and alert on any modification.
OWASP Mapping
- LLM03 (Supply Chain)
- LLM01 (Prompt Injection - indirect)
- ASVS V14 (Configuration)
MAESTRO Framework Mapping
The Cloud Security Alliance (CSA) MAESTRO framework provides a structured threat modeling approach for agentic AI systems across 7 layers:
| MAESTRO Layer | Layer Name | AST01 Mapping |
|---|---|---|
| Layer 7 | Agent Ecosystem | Registry compromise, marketplace manipulation, agent impersonation |
| Layer 3 | Agent Frameworks | Compromised components, supply chain attacks |
| Layer 6 | Security & Compliance | Access controls, policy enforcement |
| Layer 4 | Deployment & Infrastructure | Container tampering, runtime environment security |
| Layer 5 | Evaluation & Observability | Detection evasion, metric manipulation |
MAESTRO Layer Details
Layer 7: Agent Ecosystem - Primary mapping for AST01
- Malicious skills published to registries (ClawHub, skills.sh)
- Marketplace manipulation through typosquatting and brand impersonation
- Agent impersonation attacks via fake “Google,” “Solana wallet tracker” skills
- Registry compromise enabling coordinated malicious skill campaigns
Layer 3: Agent Frameworks
- Compromised skill components within agent frameworks (OpenClaw, Claude Code, Cursor)
- Supply chain attacks through skill dependencies
- Prompt injection within skill instructions
Layer 6: Security & Compliance
- Access control failures allowing malicious skills to execute with full permissions
- Policy enforcement gaps in skill registries
Layer 4: Deployment & Infrastructure
- Runtime environment security for skill execution
- Container tampering through malicious skill payloads
Layer 5: Evaluation & Observability
- Detection evasion through obfuscated malicious instructions
- Metric manipulation to bypass security scanning
Platform-Specific Mitigation Guides
OpenClaw Platform
Registry Security
- Enable “Verified Publisher” requirement for all skill installations
- Use ClawHub’s built-in malware scanning before installation
- Review skill permissions in the installation dialog
Skill Development
# Example: Secure SKILL.md structure
name: "Secure File Backup"
version: "1.0.0"
publisher: "trusted-org"
signature: "ed25519_signature_here"
permissions:
- filesystem:read
- network:outbound
instructions: |
This skill securely backs up files to a designated location.
Never executes arbitrary commands or accesses sensitive data.
Runtime Protection
- Run skills in isolated containers using ClawSandbox
- Monitor skill execution logs for suspicious patterns
- Implement skill execution timeouts
Claude Code Platform
Skill Validation
- Use Claude’s built-in skill validator before publishing
- Implement signature verification for all skills
- Review skill code for injection vulnerabilities
Code Example: Secure Claude Skill
{
"name": "Secure Data Processor",
"version": "1.0.0",
"permissions": ["read_files", "write_temp"],
"tools": [
{
"name": "process_data",
"description": "Securely process user data",
"parameters": {
"input_file": {"type": "string", "description": "Input file path"}
}
}
],
"security": {
"signature_required": true,
"sandboxed_execution": true
}
}
Best Practices
- Avoid dynamic code execution in skills
- Use parameterized inputs only
- Implement proper error handling
Cursor Platform
Manifest Security
{
"name": "Secure Code Assistant",
"version": "1.0.0",
"publisher": "verified-publisher",
"permissions": {
"filesystem": "read-only",
"network": "outbound-only"
},
"security": {
"requireSignature": true,
"sandbox": true,
"auditLog": true
}
}
Development Guidelines
- Use Cursor’s security linter during development
- Test skills in isolated environments
- Document all permission requirements clearly
VS Code Platform
Extension Security
- Follow VS Code extension security guidelines
- Use proper manifest declarations
- Implement content security policies
Code Example: Secure VS Code Skill
{
"name": "secure-skill",
"version": "1.0.0",
"publisher": "trusted-publisher",
"engines": {
"vscode": "^1.70.0"
},
"permissions": ["workspace", "commands"],
"security": {
"enablement": "workspaceTrust",
"supportedEnvironments": ["desktop"]
}
}
Deployment Checklist
- Code signed with verified certificate
- Security review completed
- Permissions minimized
- Sandbox testing passed
- Audit logging enabled
Cross-Platform Best Practices
Skill Publisher Responsibilities
- Code Signing: All skills must be cryptographically signed
- Minimal Permissions: Request only necessary permissions
- Clear Documentation: Document all functionality and security measures
- Regular Updates: Maintain and patch security vulnerabilities
- Transparency: Disclose data collection and processing practices
Platform Operator Responsibilities
- Automated Scanning: Implement malware detection for all skills
- Publisher Verification: Verify publisher identities
- User Warnings: Alert users to high-risk permissions
- Incident Response: Rapid removal of malicious skills
- Community Feedback: Allow user reporting of suspicious skills
User Responsibilities
- Source Verification: Only install from trusted publishers
- Permission Review: Understand what permissions are granted
- Regular Audits: Review installed skills periodically
- Report Suspicious Activity: Report potential security issues
- Keep Updated: Use latest platform versions with security fixes
Related Risks
- AST02 — Supply Chain Compromise: Often the delivery mechanism for malicious skills.
- AST03 — Over-Privileged Skills: Malicious skills exploit excessive permissions, including logic-layer injection of privileged actions (LPCI).
- AST04 — Insecure Metadata: Brand impersonation enables malicious skill distribution.
- AST05 — Untrusted External Instructions: A malicious author can hide the payload in referenced external content, keeping the skill body clean.
- AST08 — Poor Scanning: Ineffective detection allows malicious skills to proliferate.
- AST10 — Cross-Platform Reuse: Identity artifacts cloned or ported across platforms lose their original protections, aiding impersonation.
Reference Materials
Malicious Skill Analysis Framework
When analyzing suspected malicious skills, follow this systematic approach:
- Static Analysis
- Review
SKILL.mdfor suspicious instructions - Check for obfuscated code or unusual YAML structures
- Validate signature against known publisher keys
- Review
- Dynamic Analysis
- Execute in isolated sandbox environment
- Monitor file system, network, and process activity
- Check for persistence mechanisms (SOUL.md, MEMORY.md modifications)
- Behavioral Indicators
- Unusual network connections
- File exfiltration attempts
- Shell command execution beyond stated function
- Memory or identity file modifications
Detection Signatures
Common patterns in malicious skills:
- Base64-encoded payloads in YAML comments
- Instructions to download from non-HTTPS URLs
- Requests for excessive permissions (write to identity files)
- Typosquatting of popular service names
- Social engineering prompts (“Run this command to enable…”)
Incident Response Checklist
For confirmed malicious skill incidents:
- Isolate affected agents
- Revoke compromised credentials
- Scan for lateral movement
- Notify skill registry
- Update detection signatures
- Review installation approval processes
References
- Snyk ToxicSkills
- Check Point Research: Caught in the Hook
- Antiy CERT: ClawHavoc Campaign Analysis
- Atta et al. — DIRF: A Framework for Digital Identity Protection and Clone Governance in Agentic AI Systems (arXiv:2508.01997)
- “Do Not Mention This to the User”: Detecting and Understanding Malicious Agent Skills in the Wild (USENIX Security 2026)
Last updated: March 2026
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.
Leadership & Founding Members
Project Leadership
Current Leaders
Ken Huang
Hammad Atta
Fabio Cerullo
Aonan Guan
Bhavya Gupta
Niv Hoffman
Iftach Orr
Akram Sheriff
AIVSS Distinguished Review Board
The OWASP AIVSS project’s Distinguished Review Board comprises world-renowned cybersecurity leaders, former government officials, and industry pioneers who provide strategic guidance and expert oversight for the AI Vulnerability Scoring System framework. We thank them for their guidance, several of whom have also supported this project’s work.
Rob Joyce
Advisor to PwC and OpenAI, Former Special Assistant to the President and Cybersecurity Coordinator
Jason Clinton
Deputy CISO, Anthropic
Amy R. Steagall
Chief Information Security Officer, Stanford University
Martin Stanley
AI Risk Management Framework Lead, NIST
Apostol Vassilev
Research Supervisor, NIST
Andrew Coyne
CISO, Banner Health, Former CISO, Mayo Clinic
Kevin Rocque
Managing Director/Executive Vice President, Global Technology Risk Officer, TD Bank
Jeff Williams
Former Global OWASP Chair, Founder and CTO, Contrast Security
Michael Tran Duff
University Chief Information Security and Data Privacy Officer, Harvard University
Emil Bender Lassen
Standards Lead, AIUC-1
Agentic Skills Top 10 Founding Members
Founding members of the OWASP Agentic Skills Top 10 project itself — project leads, co-leads, and additional contributors — listed alphabetically. Several also contribute to the sibling OWASP AIVSS project listed above.
Ken Huang
Project Lead, Agentic Skills Top 10
Hammad Atta
Co-Lead, Agentic Skills Top 10
Manish Bhatt
Security Researcher, AWS
Fabio Cerullo
Co-Lead, Agentic Skills Top 10
David Girard
Senior Director, AI Security & AI Alliances, Trend Micro
Aonan Guan
Co-Lead, Agentic Skills Top 10
Bhavya Gupta
Co-Lead, Agentic Skills Top 10
Pamela Gupta
Founder & CEO, OutSecure / Trusted AI
Idan Habler
Staff AI/ML Security Researcher, Intuit
Niv Hoffman
CTO, Air Security
Charles Iheagwara
AI/ML Security Leader, AstraZeneca
Sushmitha Janapareddy
Director - Security Integrations, American Express
Edward Lee
Vice President, Lead AI Security, JP Morgan
KJ Lian
Senior Manager, Data & AI (Public Sector), AWS
Vineeth Sai Narajala
Application Security, AWS
Iftach Orr
Co-Lead, Agentic Skills Top 10
Kanna Sekar
Cyber Security, Google
Akram Sheriff
Co-Lead, Agentic Skills Top 10
Dennis Xu
Research VP, AI, Gartner
OWASP AIVSS Founding Members
The OWASP AIVSS (Agentic AI Vulnerability Scoring System) project is a sibling OWASP initiative focused on scoring the severity of agentic AI vulnerabilities. Its founding members are recognized here as OWASP founding members in the agentic AI security space; many of them have also contributed directly to the Agentic Skills Top 10 project’s research and review process.
Sunil Agrawal
Chief Information Security Officer, Glean
David Ames
Partner, PwC
Michael Bargury
Founder and CTO, Zenity
Joshua Beck
Application Security Architect, SAS
Manish Bhatt
Security Researcher, Amazon Kuiper Security
Mark Breitenbach
Security Engineer, Dropbox
Anat Bremler-Barr
Professor of Computer Science, Tel Aviv University
Siah Burke
HIPAA Security Officer, Siah.ai
David Campbell
AI Security, Scale AI
Ying-Jung Chen
AI safety researcher, PhD, Georgia Institute of Technology
Anton Chuvakin
Security Solution Strategy, Google
Jason Clinton
CISO, Anthorphic
Adam Dawson
Staff AI Security Researcher, Dreadnode
Leon Derczynski
Principal Research Scientist, NVIDIA
Walker Lee Dimon
AI Security Researcher, MITRE
Marissa Dotter
AI Security Researcher, MITRE
Dan Goldberg
ISO Market Lead, Omnicom
David Haber
CEO, Lakera
Idan Habler
Staff AI/ML Security Researcher, Intuit
Jason Haddix
Founder, Arcanum Information Security
Keith Hoodlet
Director of AI/ML & AppSec, Trail of Bits
Ken Huang
AIVSS Project Lead, OWASP
Chris Hughes
CEO, Aquia
Charles Iheagwara
AI/ML Security Leader, AstraZeneca
Krystal Jackson
Researcher, Center for Long-Term Cybersecurity, UC Berkeley
Sushmitha Janapareddy
Director - Security Integrations, American Express
Rob Joyce
Former Cybersecurity Director of NSA, Advisor to PwC, PwC
Diana Kelley
CISO, Noma Security
Prashant Kulkarni
Lead AI Security Research Engineer, Google Cloud
Mahesh Lambe
Founder, MIT, Unify Dynamics
Edward Lee
Vice President, Lead AI Security, JP Morgan
Nate Lee
CEO, Cloudsec.ai
Vishwas Manral
CEO, Precize.ai
Daniela Muhaj
Executive-in-Residence for Research & Development, AI 2030
Vineeth Sai Narajala
Application Security, AWS
Om Narayan
AI Security Researcher, AWS
Varun Pant
Engineering and Product Leader, AI applications at the Automated Reasoning Group, AWS
Advait Patel
Senior Site Reliability Engineer (DevSecOps + Cloud + AIOps), Broadcom, IEEE
Alex Polyakov
CEO, adversa.ai
Ramesh Raskar
Professor & Director, MIT Media Lab
Ron F. Del Rosario
VP-Head of AI Security, SAP
Tal Shapira
Co-Founder & CTO, Reco AI
Akram Sheriff
Senior AI/ML Software Engineering Leader, Cisco
Samantha Siau
Security and Compliance, Anthropic
Kevin Simmonds
Partner on AI Offensive Security, PWC
Martin Stanley
NIST AI RMF Lead, Independent
Omar A. Turner
General Manager of Security, Microsoft
Apostol Vassilev
AI Research Team Supervisor, NIST
Matthew Versaggi
AI Fellow, White House Presidential Innovation Fellow
David Webb
Agency Cybersecurity Officer, Cybersecurity and Infrastructure Security Agency
Dennis Xu
Research VP, AI, Gartner
Xiaochen Zhang
Executive Director and Chief Responsible AI Officer, AI 2030
Recognition
We extend our gratitude to all founding members who have contributed to establishing this crucial framework for AI security assessment. Their vision and dedication have been instrumental in shaping the Agentic Skills Top 10 project.
Get Involved
Interested in contributing to the Agentic Skills Top 10 project? We welcome new contributors and leaders. Please see our Contribution Guidelines for more information on how to get involved.