惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

P
Privacy International News Feed
I
Intezer
T
Tenable Blog
S
Schneier on Security
Project Zero
Project Zero
G
GRAHAM CLULEY
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
Know Your Adversary
Know Your Adversary
博客园 - 司徒正美
The Cloudflare Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
博客园 - 叶小钗
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题
aimingoo的专栏
aimingoo的专栏
S
Secure Thoughts
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 【当耐特】
罗磊的独立博客
IT之家
IT之家
H
Hacker News: Front Page
I
InfoQ
云风的 BLOG
云风的 BLOG
S
Security Affairs
M
MIT News - Artificial intelligence
GbyAI
GbyAI
Jina AI
Jina AI
Help Net Security
Help Net Security
Engineering at Meta
Engineering at Meta
大猫的无限游戏
大猫的无限游戏
Webroot Blog
Webroot Blog
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
Attack and Defense Labs
Attack and Defense Labs
The Register - Security
The Register - Security
V
V2EX
G
Google Developers Blog
D
DataBreaches.Net
Apple Machine Learning Research
Apple Machine Learning Research
C
Cybersecurity and Infrastructure Security Agency CISA
J
Java Code Geeks
W
WeLiveSecurity
Cloudbric
Cloudbric
T
Tor Project blog

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA CSA STAR v4.1 Updates for Cloud Security | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
Claude Agent Skills Risks for CISOs | CSA
2026-06-09 · via Cloud Security Alliance

Written by Krishanu Borah.

The SKILL.md file is the new package.json. And it's already compromised.

Developers and business users trust Claude Skills the way engineers once trusted npm packages. Install a skill on Claude Code, claude.ai, or via the API. Extend the agent's capabilities. Ship faster.

But the parallels don't stop at convenience. They extend to the attack surface.

Over the past six months, security researchers have converged on the same finding: the Claude agent skills ecosystem carries systemic security risks that most organizations are not equipped to detect or mitigate. One major audit found 36.82% of skills contain security flaws. A large-scale analysis of 42,447 skills found 26.1% carry at least one vulnerability. OWASP formalized these risks into the Agentic Skills Top 10 (AST10) in March 2026.

Here are the five vulnerability categories every CISO should understand.

1. Ungoverned Skill Sprawl

Before you can secure agent skills, you need to know they exist. Most security teams don't. (OWASP AST09)

Skills install silently into ~/.claude/skills/ directories on developer workstations via Claude Code, and load on-demand when Claude detects a matching prompt. On claude.ai, non-technical employees add skills with a single click. No centralized registry. No MDM integration. No SIEM event when someone pulls a SKILL.md from GitHub.

Industry data shows a pattern: 53,000+ exposed agent instances with no SOC visibility, and employees deploying agents on corporate devices without organizational controls.

Without a skill inventory, every other security control is blind. You cannot enforce least privilege, scan for malicious payloads, or respond to incidents against an attack surface you haven't mapped.

2. Supply Chain Poisoning: Open Registries, Zero Vetting

Agent skill registries operate like early-era package managers: open submission, minimal vetting, no code signing, no provenance tracking. Anyone can publish a skill. Anyone can impersonate a trusted brand. And the same SKILL.md file flows across multiple registries without distinction.

The risk has two dimensions. First, intentionally malicious skills (OWASP AST01) distributed through registries: credential stealers, ransomware loaders, and data exfiltration tools disguised as productivity boosters. Second, upstream compromise, where repository-controlled configuration files function as an execution layer (OWASP AST02). Published CVEs confirm that simply cloning an untrusted project can trigger code execution and credential exfiltration before any consent dialog surfaces.

This is not hypothetical. One documented campaign saw 1,184 malicious skills flood a major registry across 12 publisher accounts. At peak infection, five of the top seven most-downloaded skills were confirmed malware.

3. Over-Privileged Execution: One Approval, Infinite Permissions

Skills inherit the agent's full runtime context (OWASP AST03). If the agent has access to a GitHub token, AWS credentials, or database connection strings, every installed skill inherits that access. There is no per-skill permission boundary in most deployments.

Audits have documented 280+ skills leaking API keys and PII through over-permissioned file and network access. But the bigger issue is isolation: skills run with host-level access rather than inside sandboxes (OWASP AST06). Once a skill receives approval, it can read/write files, download and execute additional code, and open outbound connections without further prompts.

Researchers call this the "consent gap." Users approve what they see, but hidden subprocesses operate under the same trust context. One proof-of-concept demonstrated a legitimate-looking skill delivering live ransomware through a single hidden helper function, all under the initial approval.

The convergence of private data access, untrusted skill instructions, and network egress capability is what makes this especially dangerous. Most production deployments satisfy all three conditions simultaneously.

4. Invisible Payloads: Markdown as an Attack Vector

Traditional supply chain attacks embed malicious code in executables. Agent skill attacks embed malicious instructions in Markdown (OWASP AST04).

Three lines of natural language in a SKILL.md file can instruct an agent to read ~/.ssh/id_rsa and POST it to an external endpoint. No eval(). No subprocess. No detectable code signature. Pattern-matching scanners looking for dangerous function calls miss these entirely.

The problem compounds when skills use dynamic context commands that execute shell commands at load time, before the model even processes the skill (OWASP AST08). When this happens, the AI's own safety reasoning is bypassed entirely. The model never gets a chance to refuse.

Behavioral studies confirm malicious skills split into two archetypes: Data Thieves exfiltrating credentials through silent network calls, and Agent Hijackers subverting agent decision-making through instruction manipulation. Both operate below the detection threshold of conventional code scanners.

5. Cross-Platform Portability: The Risk Travels With the File

The SKILL.md format works across Claude Code, claude.ai, OpenClaw, Cursor, and Codex CLI. That portability is powerful for adoption but devastating for containment (OWASP AST10).

A malicious skill published on one registry gets reindexed into others. A skill scanned as safe on one platform may behave differently on another where permission models differ, and security metadata is lost in transit. Without immutable version pinning, a previously clean skill can receive a malicious update that propagates silently across every platform that indexes it.

A CVE scored at 9.9 (CVSS) demonstrated that malicious websites could brute-force localhost connections to hijack local agent instances and push updates without user prompts. The attack surface is no longer a single registry or a single platform. It is the file itself.

The SKILL.md file is the new package.json. OWASP's Agentic Skills Top 10 framework provides the most comprehensive taxonomy of these risks to date, and the published audits provide clear evidence that the threat is already active. The question is whether security teams will act before the first enterprise-scale incident forces the conversation.