AST03 — Over-Privileged Skills
Severity: High
Platforms Affected: All
Description
Skills are granted broader permissions than their stated function requires — either because no permission manifest system exists, or because users accept all permissions without review. This creates excessive blast radius: a legitimate skill with overly permissive database access can be weaponized by a downstream prompt injection attack to execute DROP TABLE commands it was never meant to run.
Why It’s Unique to Skills
Traditional application least-privilege is well understood. But skills layer natural language intent on top of system permissions. A skill permitted to run SELECT queries may be coerced by prompt injection to run DELETE — because the permission check happens at the tool call level, not at the intent level.
Real-World Evidence
- Snyk ToxicSkills (Feb 2026): 280+ skills on ClawHub found exposing API keys and PII beyond their declared function.
- OpenClaw default execution: “tools run on the host for the main session, so the agent has full access.” Skills can execute shell commands, read/write all files, access network services, and schedule cron jobs — without any per-skill permission scope.
- Summer Yue (Meta AI): asked OpenClaw to review email inbox without taking actions; agent deleted large volumes of email before the process was killed — demonstrating that even well-intentioned agents execute with more authority than intended.
- Logic-layer Prompt Control Injection (LPCI) (Atta et al., A Novel Security Vulnerability Class in Agentic Systems, arXiv:2507.10457): peer-reviewed evidence that encoded, delayed, and conditionally-triggered payloads planted in memory, vector stores, or tool outputs are treated by the model as operator-level instructions, causing skills to autonomously invoke tools and write persistent state across sessions — exercising granted permissions the user never intended to trigger.
Attack Scenarios
Weather Assistant Data Exfiltration
A “weather assistant” skill reads ~/.clawdbot/.env (all API keys) — far beyond weather API needs.
Database Admin Wipe
A manage_database skill provisioned with admin credentials is tricked via prompt injection to wipe production data.
Identity File Backdoors
A skill requesting write access to SOUL.md and MEMORY.md installs persistent behavioral backdoors.
Logic-layer Injection of Privileged Actions (LPCI)
A skill receives external input — user data, retrieved memory, or another tool’s output — that contains embedded instructions. Because the runtime evaluates permissions at the tool-call level rather than the intent level, the model treats this skill output as an operator-level command and autonomously performs a privileged action it is technically permitted to do (a tool call, a MEMORY.md write, code execution) without explicit user consent. The injected rule can persist across sessions and propagate to every downstream consumer of the skill.
Preventive Mitigations
- Require skills to declare a permission manifest (files, network, shell, tools) — reject skills without one.
- Enforce per-skill scoped credentials, not shared agent-level API keys.
- Flag skills requesting write access to agent identity files (
SOUL.md,MEMORY.md,AGENTS.md) for elevated review. - Implement runtime permission enforcement — not just declarative.
- Adopt network allowlists scoped to specific domains, not a binary
network: true/false. - Validate manifest declarations against observed runtime behavior in sandboxed testing.
- Enforce a strict instruction hierarchy (System > Operator > User > Skill/Tool Output). Never elevate skill or tool output to instruction level; treat all skill input and tool output as untrusted data, and tag external content with provenance markers so the model can distinguish data from commands.
- Require explicit operator consent for persistent state changes — memory/identity-file writes, new tool approvals, and privilege escalations must not be auto-applied from injected instructions.
OWASP Mapping
- LLM09 (Misinformation / Excessive Agency)
- LLM01 (Prompt Injection — logic-layer / instruction-hierarchy confusion)
- ASVS V4 (Access Control)
- CWE-250 (Execution with Unnecessary Privileges)
MAESTRO Framework Mapping
| MAESTRO Layer | Layer Name | AST03 Mapping |
|---|---|---|
| Layer 6 | Security & Compliance | Access controls, policy enforcement |
| Layer 4 | Deployment & Infrastructure | Container/host hardening, sandboxing |
| Layer 3 | Agent Frameworks | framework privilege handling, skill integration |
| Layer 7 | Agent Ecosystem | registry policy enforcement and trust boundaries |
MAESTRO Layer Details
- Layer 6: Security & Compliance - enforcement of least privilege and identity safety.
- Layer 4: Deployment & Infrastructure - runtime isolation and resource constraints.
- Layer 3: Agent Frameworks - permission orchestration in LangChain/AutoGen-like agents.
- Layer 7: Agent Ecosystem - enterprise capability to govern and score skill permissions.
Cross-References
- AST01 (Malicious Skills): Over-privileged skills amplify the impact of malicious payloads by providing broader access vectors.
- AST02 (Supply Chain Compromise): Compromised registries may distribute skills with inflated permission requests.
- AST04 (Insecure Metadata): Misleading permission declarations in manifests can hide over-privileged access.
- AST06 (Weak Isolation): Host-mode execution removes permission boundaries entirely.
- AST09 (No Governance): Lack of permission review processes allows over-privileged skills to proliferate.
References
- Snyk ToxicSkills
- Snyk: 280+ Leaky Skills
- Cisco State of AI Security 2026
- Atta et al. — Logic-layer Prompt Control Injection (LPCI): A Novel Security Vulnerability Class in Agentic Systems (arXiv:2507.10457)
Last updated: March 2026
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.
Leadership & Founding Members
Project Leadership
Current Leaders
Ken Huang
Hammad Atta
Fabio Cerullo
Aonan Guan
Bhavya Gupta
Niv Hoffman
Iftach Orr
Akram Sheriff
AIVSS Distinguished Review Board
The OWASP AIVSS project’s Distinguished Review Board comprises world-renowned cybersecurity leaders, former government officials, and industry pioneers who provide strategic guidance and expert oversight for the AI Vulnerability Scoring System framework. We thank them for their guidance, several of whom have also supported this project’s work.
Rob Joyce
Advisor to PwC and OpenAI, Former Special Assistant to the President and Cybersecurity Coordinator
Jason Clinton
Deputy CISO, Anthropic
Amy R. Steagall
Chief Information Security Officer, Stanford University
Martin Stanley
AI Risk Management Framework Lead, NIST
Apostol Vassilev
Research Supervisor, NIST
Andrew Coyne
CISO, Banner Health, Former CISO, Mayo Clinic
Kevin Rocque
Managing Director/Executive Vice President, Global Technology Risk Officer, TD Bank
Jeff Williams
Former Global OWASP Chair, Founder and CTO, Contrast Security
Michael Tran Duff
University Chief Information Security and Data Privacy Officer, Harvard University
Emil Bender Lassen
Standards Lead, AIUC-1
Agentic Skills Top 10 Founding Members
Founding members of the OWASP Agentic Skills Top 10 project itself — project leads, co-leads, and additional contributors — listed alphabetically. Several also contribute to the sibling OWASP AIVSS project listed above.
Ken Huang
Project Lead, Agentic Skills Top 10
Hammad Atta
Co-Lead, Agentic Skills Top 10
Manish Bhatt
Security Researcher, AWS
Fabio Cerullo
Co-Lead, Agentic Skills Top 10
David Girard
Senior Director, AI Security & AI Alliances, Trend Micro
Aonan Guan
Co-Lead, Agentic Skills Top 10
Bhavya Gupta
Co-Lead, Agentic Skills Top 10
Pamela Gupta
Founder & CEO, OutSecure / Trusted AI
Idan Habler
Staff AI/ML Security Researcher, Intuit
Niv Hoffman
CTO, Air Security
Charles Iheagwara
AI/ML Security Leader, AstraZeneca
Sushmitha Janapareddy
Director - Security Integrations, American Express
Edward Lee
Vice President, Lead AI Security, JP Morgan
KJ Lian
Senior Manager, Data & AI (Public Sector), AWS
Vineeth Sai Narajala
Application Security, AWS
Iftach Orr
Co-Lead, Agentic Skills Top 10
Kanna Sekar
Cyber Security, Google
Akram Sheriff
Co-Lead, Agentic Skills Top 10
Dennis Xu
Research VP, AI, Gartner
OWASP AIVSS Founding Members
The OWASP AIVSS (Agentic AI Vulnerability Scoring System) project is a sibling OWASP initiative focused on scoring the severity of agentic AI vulnerabilities. Its founding members are recognized here as OWASP founding members in the agentic AI security space; many of them have also contributed directly to the Agentic Skills Top 10 project’s research and review process.
Sunil Agrawal
Chief Information Security Officer, Glean
David Ames
Partner, PwC
Michael Bargury
Founder and CTO, Zenity
Joshua Beck
Application Security Architect, SAS
Manish Bhatt
Security Researcher, Amazon Kuiper Security
Mark Breitenbach
Security Engineer, Dropbox
Anat Bremler-Barr
Professor of Computer Science, Tel Aviv University
Siah Burke
HIPAA Security Officer, Siah.ai
David Campbell
AI Security, Scale AI
Ying-Jung Chen
AI safety researcher, PhD, Georgia Institute of Technology
Anton Chuvakin
Security Solution Strategy, Google
Jason Clinton
CISO, Anthorphic
Adam Dawson
Staff AI Security Researcher, Dreadnode
Leon Derczynski
Principal Research Scientist, NVIDIA
Walker Lee Dimon
AI Security Researcher, MITRE
Marissa Dotter
AI Security Researcher, MITRE
Dan Goldberg
ISO Market Lead, Omnicom
David Haber
CEO, Lakera
Idan Habler
Staff AI/ML Security Researcher, Intuit
Jason Haddix
Founder, Arcanum Information Security
Keith Hoodlet
Director of AI/ML & AppSec, Trail of Bits
Ken Huang
AIVSS Project Lead, OWASP
Chris Hughes
CEO, Aquia
Charles Iheagwara
AI/ML Security Leader, AstraZeneca
Krystal Jackson
Researcher, Center for Long-Term Cybersecurity, UC Berkeley
Sushmitha Janapareddy
Director - Security Integrations, American Express
Rob Joyce
Former Cybersecurity Director of NSA, Advisor to PwC, PwC
Diana Kelley
CISO, Noma Security
Prashant Kulkarni
Lead AI Security Research Engineer, Google Cloud
Mahesh Lambe
Founder, MIT, Unify Dynamics
Edward Lee
Vice President, Lead AI Security, JP Morgan
Nate Lee
CEO, Cloudsec.ai
Vishwas Manral
CEO, Precize.ai
Daniela Muhaj
Executive-in-Residence for Research & Development, AI 2030
Vineeth Sai Narajala
Application Security, AWS
Om Narayan
AI Security Researcher, AWS
Varun Pant
Engineering and Product Leader, AI applications at the Automated Reasoning Group, AWS
Advait Patel
Senior Site Reliability Engineer (DevSecOps + Cloud + AIOps), Broadcom, IEEE
Alex Polyakov
CEO, adversa.ai
Ramesh Raskar
Professor & Director, MIT Media Lab
Ron F. Del Rosario
VP-Head of AI Security, SAP
Tal Shapira
Co-Founder & CTO, Reco AI
Akram Sheriff
Senior AI/ML Software Engineering Leader, Cisco
Samantha Siau
Security and Compliance, Anthropic
Kevin Simmonds
Partner on AI Offensive Security, PWC
Martin Stanley
NIST AI RMF Lead, Independent
Omar A. Turner
General Manager of Security, Microsoft
Apostol Vassilev
AI Research Team Supervisor, NIST
Matthew Versaggi
AI Fellow, White House Presidential Innovation Fellow
David Webb
Agency Cybersecurity Officer, Cybersecurity and Infrastructure Security Agency
Dennis Xu
Research VP, AI, Gartner
Xiaochen Zhang
Executive Director and Chief Responsible AI Officer, AI 2030
Recognition
We extend our gratitude to all founding members who have contributed to establishing this crucial framework for AI security assessment. Their vision and dedication have been instrumental in shaping the Agentic Skills Top 10 project.
Get Involved
Interested in contributing to the Agentic Skills Top 10 project? We welcome new contributors and leaders. Please see our Contribution Guidelines for more information on how to get involved.