AST03 — Over-Privileged Skills

Severity: High
Platforms Affected: All

Description

Skills are granted broader permissions than their stated function requires — either because no permission manifest system exists, or because users accept all permissions without review. This creates excessive blast radius: a legitimate skill with overly permissive database access can be weaponized by a downstream prompt injection attack to execute DROP TABLE commands it was never meant to run.

Why It’s Unique to Skills

Traditional application least-privilege is well understood. But skills layer natural language intent on top of system permissions. A skill permitted to run SELECT queries may be coerced by prompt injection to run DELETE — because the permission check happens at the tool call level, not at the intent level.

Real-World Evidence

  • Snyk ToxicSkills (Feb 2026): 280+ skills on ClawHub found exposing API keys and PII beyond their declared function.
  • OpenClaw default execution: “tools run on the host for the main session, so the agent has full access.” Skills can execute shell commands, read/write all files, access network services, and schedule cron jobs — without any per-skill permission scope.
  • Summer Yue (Meta AI): asked OpenClaw to review email inbox without taking actions; agent deleted large volumes of email before the process was killed — demonstrating that even well-intentioned agents execute with more authority than intended.
  • Logic-layer Prompt Control Injection (LPCI) (Atta et al., A Novel Security Vulnerability Class in Agentic Systems, arXiv:2507.10457): peer-reviewed evidence that encoded, delayed, and conditionally-triggered payloads planted in memory, vector stores, or tool outputs are treated by the model as operator-level instructions, causing skills to autonomously invoke tools and write persistent state across sessions — exercising granted permissions the user never intended to trigger.

Attack Scenarios

Weather Assistant Data Exfiltration

A “weather assistant” skill reads ~/.clawdbot/.env (all API keys) — far beyond weather API needs.

Database Admin Wipe

A manage_database skill provisioned with admin credentials is tricked via prompt injection to wipe production data.

Identity File Backdoors

A skill requesting write access to SOUL.md and MEMORY.md installs persistent behavioral backdoors.

Logic-layer Injection of Privileged Actions (LPCI)

A skill receives external input — user data, retrieved memory, or another tool’s output — that contains embedded instructions. Because the runtime evaluates permissions at the tool-call level rather than the intent level, the model treats this skill output as an operator-level command and autonomously performs a privileged action it is technically permitted to do (a tool call, a MEMORY.md write, code execution) without explicit user consent. The injected rule can persist across sessions and propagate to every downstream consumer of the skill.

Preventive Mitigations

  1. Require skills to declare a permission manifest (files, network, shell, tools) — reject skills without one.
  2. Enforce per-skill scoped credentials, not shared agent-level API keys.
  3. Flag skills requesting write access to agent identity files (SOUL.md, MEMORY.md, AGENTS.md) for elevated review.
  4. Implement runtime permission enforcement — not just declarative.
  5. Adopt network allowlists scoped to specific domains, not a binary network: true/false.
  6. Validate manifest declarations against observed runtime behavior in sandboxed testing.
  7. Enforce a strict instruction hierarchy (System > Operator > User > Skill/Tool Output). Never elevate skill or tool output to instruction level; treat all skill input and tool output as untrusted data, and tag external content with provenance markers so the model can distinguish data from commands.
  8. Require explicit operator consent for persistent state changes — memory/identity-file writes, new tool approvals, and privilege escalations must not be auto-applied from injected instructions.

OWASP Mapping

  • LLM09 (Misinformation / Excessive Agency)
  • LLM01 (Prompt Injection — logic-layer / instruction-hierarchy confusion)
  • ASVS V4 (Access Control)
  • CWE-250 (Execution with Unnecessary Privileges)

MAESTRO Framework Mapping

MAESTRO Layer Layer Name AST03 Mapping
Layer 6 Security & Compliance Access controls, policy enforcement
Layer 4 Deployment & Infrastructure Container/host hardening, sandboxing
Layer 3 Agent Frameworks framework privilege handling, skill integration
Layer 7 Agent Ecosystem registry policy enforcement and trust boundaries

MAESTRO Layer Details

  • Layer 6: Security & Compliance - enforcement of least privilege and identity safety.
  • Layer 4: Deployment & Infrastructure - runtime isolation and resource constraints.
  • Layer 3: Agent Frameworks - permission orchestration in LangChain/AutoGen-like agents.
  • Layer 7: Agent Ecosystem - enterprise capability to govern and score skill permissions.

Cross-References

  • AST01 (Malicious Skills): Over-privileged skills amplify the impact of malicious payloads by providing broader access vectors.
  • AST02 (Supply Chain Compromise): Compromised registries may distribute skills with inflated permission requests.
  • AST04 (Insecure Metadata): Misleading permission declarations in manifests can hide over-privileged access.
  • AST06 (Weak Isolation): Host-mode execution removes permission boundaries entirely.
  • AST09 (No Governance): Lack of permission review processes allows over-privileged skills to proliferate.

References


Last updated: March 2026


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.


Leadership & Founding Members

Project Leadership

Current Leaders

Ken Huang

Ken Huang

Hammad Atta

Hammad Atta

Fabio Cerullo

Fabio Cerullo

Aonan Guan

Aonan Guan

Bhavya Gupta

Bhavya Gupta

Niv Hoffman

Niv Hoffman

Iftach Orr

Iftach Orr

Akram Sheriff

Akram Sheriff

AIVSS Distinguished Review Board

The OWASP AIVSS project’s Distinguished Review Board comprises world-renowned cybersecurity leaders, former government officials, and industry pioneers who provide strategic guidance and expert oversight for the AI Vulnerability Scoring System framework. We thank them for their guidance, several of whom have also supported this project’s work.

Rob Joyce

Rob Joyce

Advisor to PwC and OpenAI, Former Special Assistant to the President and Cybersecurity Coordinator

Jason Clinton

Jason Clinton

Deputy CISO, Anthropic

Amy R. Steagall

Amy R. Steagall

Chief Information Security Officer, Stanford University

Martin Stanley

Martin Stanley

AI Risk Management Framework Lead, NIST

Apostol Vassilev

Apostol Vassilev

Research Supervisor, NIST

Andrew Coyne

Andrew Coyne

CISO, Banner Health, Former CISO, Mayo Clinic

Kevin Rocque

Kevin Rocque

Managing Director/Executive Vice President, Global Technology Risk Officer, TD Bank

Jeff Williams

Jeff Williams

Former Global OWASP Chair, Founder and CTO, Contrast Security

Michael Tran Duff

Michael Tran Duff

University Chief Information Security and Data Privacy Officer, Harvard University

Emil Bender Lassen

Emil Bender Lassen

Standards Lead, AIUC-1

Agentic Skills Top 10 Founding Members

Founding members of the OWASP Agentic Skills Top 10 project itself — project leads, co-leads, and additional contributors — listed alphabetically. Several also contribute to the sibling OWASP AIVSS project listed above.

Ken Huang

Ken Huang

Project Lead, Agentic Skills Top 10

Hammad Atta

Hammad Atta

Co-Lead, Agentic Skills Top 10

Manish Bhatt

Manish Bhatt

Security Researcher, AWS

Fabio Cerullo

Fabio Cerullo

Co-Lead, Agentic Skills Top 10

David Girard

David Girard

Senior Director, AI Security & AI Alliances, Trend Micro

Aonan Guan

Aonan Guan

Co-Lead, Agentic Skills Top 10

Bhavya Gupta

Bhavya Gupta

Co-Lead, Agentic Skills Top 10

Pamela Gupta

Pamela Gupta

Founder & CEO, OutSecure / Trusted AI

Idan Habler

Idan Habler

Staff AI/ML Security Researcher, Intuit

Niv Hoffman

Niv Hoffman

CTO, Air Security

Charles Iheagwara

Charles Iheagwara

AI/ML Security Leader, AstraZeneca

Sushmitha Janapareddy

Sushmitha Janapareddy

Director - Security Integrations, American Express

Edward Lee

Edward Lee

Vice President, Lead AI Security, JP Morgan

KJ Lian

KJ Lian

Senior Manager, Data & AI (Public Sector), AWS

Vineeth Sai Narajala

Vineeth Sai Narajala

Application Security, AWS

Iftach Orr

Iftach Orr

Co-Lead, Agentic Skills Top 10

Kanna Sekar

Kanna Sekar

Cyber Security, Google

Akram Sheriff

Akram Sheriff

Co-Lead, Agentic Skills Top 10

Dennis Xu

Dennis Xu

Research VP, AI, Gartner

OWASP AIVSS Founding Members

The OWASP AIVSS (Agentic AI Vulnerability Scoring System) project is a sibling OWASP initiative focused on scoring the severity of agentic AI vulnerabilities. Its founding members are recognized here as OWASP founding members in the agentic AI security space; many of them have also contributed directly to the Agentic Skills Top 10 project’s research and review process.

Sunil Agrawal

Sunil Agrawal

Chief Information Security Officer, Glean

David Ames

David Ames

Partner, PwC

Michael Bargury

Michael Bargury

Founder and CTO, Zenity

Joshua Beck

Joshua Beck

Application Security Architect, SAS

Manish Bhatt

Manish Bhatt

Security Researcher, Amazon Kuiper Security

Mark Breitenbach

Mark Breitenbach

Security Engineer, Dropbox

Anat Bremler-Barr

Anat Bremler-Barr

Professor of Computer Science, Tel Aviv University

Siah Burke

Siah Burke

HIPAA Security Officer, Siah.ai

David Campbell

David Campbell

AI Security, Scale AI

Ying-Jung Chen

Ying-Jung Chen

AI safety researcher, PhD, Georgia Institute of Technology

Anton Chuvakin

Anton Chuvakin

Security Solution Strategy, Google

Jason Clinton

Jason Clinton

CISO, Anthorphic

Adam Dawson

Adam Dawson

Staff AI Security Researcher, Dreadnode

Leon Derczynski

Leon Derczynski

Principal Research Scientist, NVIDIA

Walker Lee Dimon

Walker Lee Dimon

AI Security Researcher, MITRE

Marissa Dotter

Marissa Dotter

AI Security Researcher, MITRE

Dan Goldberg

Dan Goldberg

ISO Market Lead, Omnicom

David Haber

David Haber

CEO, Lakera

Idan Habler

Idan Habler

Staff AI/ML Security Researcher, Intuit

Jason Haddix

Jason Haddix

Founder, Arcanum Information Security

Keith Hoodlet

Keith Hoodlet

Director of AI/ML & AppSec, Trail of Bits

Ken Huang

Ken Huang

AIVSS Project Lead, OWASP

Chris Hughes

Chris Hughes

CEO, Aquia

Charles Iheagwara

Charles Iheagwara

AI/ML Security Leader, AstraZeneca

Krystal Jackson

Krystal Jackson

Researcher, Center for Long-Term Cybersecurity, UC Berkeley

Sushmitha Janapareddy

Sushmitha Janapareddy

Director - Security Integrations, American Express

Rob Joyce

Rob Joyce

Former Cybersecurity Director of NSA, Advisor to PwC, PwC

Diana Kelley

Diana Kelley

CISO, Noma Security

Prashant Kulkarni

Prashant Kulkarni

Lead AI Security Research Engineer, Google Cloud

Mahesh Lambe

Mahesh Lambe

Founder, MIT, Unify Dynamics

Edward Lee

Edward Lee

Vice President, Lead AI Security, JP Morgan

Nate Lee

Nate Lee

CEO, Cloudsec.ai

Vishwas Manral

Vishwas Manral

CEO, Precize.ai

Daniela Muhaj

Daniela Muhaj

Executive-in-Residence for Research & Development, AI 2030

Vineeth Sai Narajala

Vineeth Sai Narajala

Application Security, AWS

Om Narayan

Om Narayan

AI Security Researcher, AWS

Varun Pant

Varun Pant

Engineering and Product Leader, AI applications at the Automated Reasoning Group, AWS

Advait Patel

Advait Patel

Senior Site Reliability Engineer (DevSecOps + Cloud + AIOps), Broadcom, IEEE

Alex Polyakov

Alex Polyakov

CEO, adversa.ai

Ramesh Raskar

Ramesh Raskar

Professor & Director, MIT Media Lab

Ron F. Del Rosario

Ron F. Del Rosario

VP-Head of AI Security, SAP

Tal Shapira

Tal Shapira

Co-Founder & CTO, Reco AI

Akram Sheriff

Akram Sheriff

Senior AI/ML Software Engineering Leader, Cisco

Samantha Siau

Samantha Siau

Security and Compliance, Anthropic

Kevin Simmonds

Kevin Simmonds

Partner on AI Offensive Security, PWC

Martin Stanley

Martin Stanley

NIST AI RMF Lead, Independent

Omar A. Turner

Omar A. Turner

General Manager of Security, Microsoft

Apostol Vassilev

Apostol Vassilev

AI Research Team Supervisor, NIST

Matthew Versaggi

Matthew Versaggi

AI Fellow, White House Presidential Innovation Fellow

David Webb

David Webb

Agency Cybersecurity Officer, Cybersecurity and Infrastructure Security Agency

Dennis Xu

Dennis Xu

Research VP, AI, Gartner

Xiaochen Zhang

Xiaochen Zhang

Executive Director and Chief Responsible AI Officer, AI 2030

Recognition

We extend our gratitude to all founding members who have contributed to establishing this crucial framework for AI security assessment. Their vision and dedication have been instrumental in shaping the Agentic Skills Top 10 project.

Get Involved

Interested in contributing to the Agentic Skills Top 10 project? We welcome new contributors and leaders. Please see our Contribution Guidelines for more information on how to get involved.