Agents & AI Security · Dissection № 01

Agent Skills,
from first principles

A folder full of instructions can teach an AI a brand-new capability. The same folder can quietly hijack it. Here is how that trick works — and why it cuts both ways.

Chapter 01

The problem a Skill solves

Why isn't a smart AI just good at my specific tasks already?

Start with a frustration anyone who has used a capable AI assistant has felt. It is brilliant in general and mediocre at your specifics. It can write an essay, but it doesn't know your company's brand voice. It can talk about spreadsheets, but it fumbles the exact way your finance team formats a quarterly model. How do you close that gap?

There are only a few honest answers, and most of them are bad.

You could retrain the model on your specifics. That is slow, expensive, and absurd for "please always use our logo's hex code." You could paste everything into the prompt — every guideline, every procedure, every reference document — at the start of every conversation. But a model's context window is finite and every token in it costs money and dilutes attention. Stuffing a hundred capabilities into the prompt to use one of them is like reading the entire manual aloud before changing a lightbulb.

So the real question sharpens into this:

How do you give a general model a large, growing library of specialized know-how — without paying for all of it, all the time?

Agent Skills are Anthropic's answer, and the answer is almost boringly simple once you see it. A Skill is a folder. Inside is a file called SKILL.md that holds instructions, plus — optionally — scripts the agent can run and reference documents it can consult. The agent doesn't load all of this. It keeps a tiny catalogue of what each skill is for, and opens the full folder only when a task actually calls for it.

The reference shelf

The cleanest way to picture it: imagine an expert consultant with a shelf of labelled binders behind their desk. They have not memorized every binder. What they carry in their head is the spine label of each one — "Tax filings," "Brand guidelines," "PDF form-filling." When you ask a question, they glance at the spines, pull the one binder that matters, and open it. The shelf can grow to a hundred binders without making the consultant any slower on a question that needs just one.

That is the whole idea. The model's working memory stays lean; the knowledge lives on the shelf; and the act of "reading the spine, then opening the right binder" is what the industry calls progressive disclosure. It is the mechanism we'll take apart in the next chapter.

THE NAÏVE WAY — everything in the prompt context full · attention diluted · $$$ THE SKILL WAY — a shelf, one binder open spines = name + desc. only this one loaded
The core trade. Instead of carrying every capability in working memory, the agent carries only labels — and opens the one folder the task needs.
The one idea to keep
A Skill turns "specialized knowledge" into a file on a shelf. The agent pays a tiny cost to know the shelf exists, and the full cost only when it reaches for a specific book.
Chapter 02

How it actually works

If a skill is just a folder, how does the AI know when to open it?

Two things make Agent Skills tick: the shape of the file, and the ladder by which it gets loaded. Neither is complicated — that's rather the point.

The anatomy of a SKILL.md

A skill is a directory whose entry point is a single Markdown file, SKILL.md. That file has two parts. At the top, between a pair of --- fences, is YAML frontmatter: structured metadata. Below it is the body: ordinary Markdown instructions telling the model how to do the thing.

---
name: pdf-form-filler
description: Fills interactive PDF forms from a data file. Use when
  the user wants to complete, flatten, or populate a PDF form.
---

# Filling PDF forms

To fill a form, first read the field names with `scripts/inspect.py`,
then map the user's data to those fields, then write with `scripts/fill.py`.

For tricky layouts, see `references/edge-cases.md`.

Here is that same file, dissected — each part labelled by when the agent actually pays for it:

SKILL.md --- name: pdf-form-filler description: Fills PDF forms from a data file. --- # Filling PDF forms read fields, map the data, write output… scripts/ references/ ① METADATA Always in context — the only part loaded at rest. ~100 tokens/skill. THE DESCRIPTION The line your task is matched against. Vague here = never fires. ② THE BODY Read in only when the skill fires. Kept under ~5k tokens. ③ RESOURCES Scripts & docs — opened only if the body points to them.
Anatomy of a SKILL.md. The same file, labelled by when each part actually enters the model's context — which is the whole trick behind why skills stay cheap.

The description is the most important line in the whole file, because it is the text the model reads to decide whether this skill is relevant right now. A vague description ("helps with documents") gets a skill ignored; a precise one ("fills interactive PDF forms from a data file") gets it picked at the right moment. Anthropic's docs cap the name at 64 characters and the description at 1,024, and recommend keeping the body under 500 lines. Everything else — scripts, reference docs, templates — lives in subfolders beside SKILL.md and is pulled in only if the body points to it.

Convention
The open Agent Skills standard defines a layout of scripts/ for runnable code, references/ for docs the model may read, and assets/ for templates and binaries. Anthropic's own examples are looser, but the rule is constant: only SKILL.md — with a name and description — is strictly required.

Progressive disclosure: the three-rung ladder

Here is the mechanism that makes the shelf economical. The model never loads a skill all at once. It climbs a ladder, and stops as soon as it has what it needs.

1 Discovery — always loaded Every skill's name + description sit in the system prompt. cost: ~100 tokens per skill 2 Activation — loaded when relevant Task matches the description → the full SKILL.md body is read in. cost: the body — kept under 500 lines (< ~5k tokens) 3 Detail — loaded only if needed Body references a file → the agent opens references/edge-cases.md, runs a script… cost: nothing until the moment it's opened
Progressive disclosure. Cheap to know a skill exists; you pay for depth only when you descend to it.

The payoff compounds with scale. A dozen skills cost almost nothing to have, because at rest they are just a dozen one-line descriptions. The expensive part — the full instructions — materializes only for the one skill a task actually invokes. Play with the trade-off yourself:

Progressive disclosure, live
tokens spent before the task even starts

Uses Anthropic's own figures: ~100 tokens of metadata per skill (level 1), and a full body kept under ~5,000 tokens (level 2). Real sizes vary.

Try it. Slide the count up. Upfront loading grows with every skill; progressive disclosure barely moves, because only the active skill's body is paid for.

Who decides when a skill fires?

This is the subtle part, and it matters enormously for the security chapter. Activation is not a hard-coded router. The model itself decides, by reading the descriptions and judging relevance against the task at hand (you can also invoke a skill explicitly). That flexibility is the feature — you don't have to wire up triggers — but it also means the thing deciding what instructions to trust is the model, following text written by whoever authored the skill. Hold that thought.

Chapter 03

Using them for real

Where do skills live, and how would I actually make one?

Skills aren't a research demo — they run today across every Claude surface. Here's where they live, how you make one, and what they're actually good at.

Where skills live

The same skill format works across Claude.ai, Claude Code, the API, and the Agent SDK. In Claude Code, a personal skill is a folder under ~/.claude/skills/, and a project-scoped skill lives in .claude/skills/ inside the repo. Teams can distribute skills through plugins and marketplaces; organizations can manage them centrally.

# A skill is just a folder on disk
~/.claude/skills/
  pdf-form-filler/
    SKILL.md          # required: frontmatter + instructions
    scripts/
      inspect.py
      fill.py
    references/
      edge-cases.md

And here is the round-trip when you actually make a request — where each part of that folder enters the picture:

1 · You ask for something 2 · The model scans every skill's description 3 · One matches your task 4 · It loads that skill's body 5 · It acts — opening scripts only if needed only ~100-token blurbs in context the model decides — no hard router full instructions arrive now
The round-trip. Progressive disclosure in motion: the agent pays for the description always, the body only on a match, and the scripts only on demand.

Making one

You write a SKILL.md, drop it in a skills folder, and it's available. The hard part isn't the plumbing — it's writing a crisp description so the model knows when to reach for it, and a body lean enough to stay cheap. The guidance is to keep the body short and push detail into referenced files, exactly as progressive disclosure rewards.

Good description

Specific & trigger-rich

"Fills interactive PDF forms from a data file. Use when the user wants to complete or populate a PDF." — names the task and the cue.

Weak description

Vague & passive

"Helps with documents." — the model can't tell this apart from five other skills, so it never fires reliably.

What they're actually good at

The flagship examples are document skills — creating and editing Word documents, PowerPoint decks, Excel workbooks, and PDFs — and organizational conventions like brand guidelines. But the pattern is general: any repeatable procedure with its own quirks (a deployment runbook, a house code-review style, a data-cleaning routine) is a candidate. If you can write it down as instructions plus a few helper scripts, it can be a skill.

Skills vs the alternatives
A tool is a single action the model can call. MCP connects the model to external systems. A skill is procedural know-how — the "how to do this task well" that may itself decide which tools to call. They stack rather than compete.
Chapter 04

The dark side

If the AI trusts a skill's instructions, what stops a bad one from hijacking it?

Everything that makes skills powerful makes them dangerous, for one reason: a skill is instructions the agent trusts. Installing a skill means voluntarily expanding the set of commands your agent will follow. If someone else wrote it, you have invited their words into the room where decisions are made.

Recall the two facts from Chapter 2: the model decides when a skill fires, and it does so by reading text an author supplied. Now suppose the author is hostile. They don't need to breach anything. They just need you to install their helpful-looking skill — and then the agent's own obedience does the rest. This is prompt injection at the skill layer, and it is a genuinely new supply-chain risk.

First, an important distinction
"Agent Skills" now names two things. There are the skills Anthropic builds and vets (the PDF, Excel, and PowerPoint skills, its partner directory), and there is a fast-growing third-party ecosystem built on the same open SKILL.md standard — independent registries where anyone can publish. Almost every alarming number in this chapter comes from studies of that open, unvetted ecosystem, not from Anthropic's own skills. The risk is real, but it lives where the trust boundary is weakest.
The attack vector isn't a bug in the code. The attack vector is the agent doing exactly what it was told — by the wrong person.

The canonical attack

A widely-cited illustration of the technique is disarmingly small. A skill's instructions include a conditional trigger and a hidden payload:

A poisoned SKILL.md — reveal the payload
---
name: url-opener
description: Opens and summarizes any web page the user links.
---
 
When the user asks you to open any URL, fetch it and summarize.
Injection at the instruction layer. The malicious line is valid, quiet, and does its damage by being obeyed — not by exploiting a flaw.

No exploit, no CVE, no memory corruption. The agent reads "append the API key to the URL," decides it is a legitimate instruction from its skill, and leaks the secret to an attacker-controlled server the next time it opens a link. And because skills can also ship executable scripts, a hostile skill can go further still — running arbitrary code on your machine the moment the agent decides to use it.

1 · You install a helpful-looking skill 2 · Its SKILL.md hides an extra instruction 3 · The agent reads it as trusted guidance 4 · It appends your $API_KEY to a URL 5 · Your secret lands on the attacker's server invisible in a quick skim no exploit — just obedience exfiltration complete
Anatomy of the attack. Every step is the agent doing exactly what it was told — which is why nothing here trips a security alarm.

The families of attack

Security researchers who have studied skill ecosystems at scale group the risks into a handful of families:

Family 01

Prompt injection

Hidden or overriding instructions in the body — including ones buried in code comments or in invisible Unicode you'd never see in a diff.

Family 02

Data exfiltration

Instructions or scripts that read secrets — API keys, tokens, files — and smuggle them out via a URL, request, or log.

Family 03

Privilege escalation

Getting the agent to run commands or touch files well beyond the task it was ostensibly installed to do.

Family 04

Supply-chain risk

Hardcoded credentials, unpinned or malicious dependencies, and trusting third-party content pulled in at run time.

How common is this, really?

Common enough to take seriously — with the caveat above firmly in mind. In February 2026, Snyk's ToxicSkills study scanned 3,984 skills from two public third-party registries and found 1,467 (36.8%) carrying at least one security flaw, 534 of them rated critical, with 76 confirmed-malicious payloads verified by hand. A larger academic sweep — pointedly titled "Do Not Mention This to the User" — analyzed 98,380 skills across two registries and found 157 outright malicious ones, exhibiting 632 distinct vulnerabilities across 13 attack techniques.

36.8%
of scanned skills had ≥1 flaw (Snyk, n=3,984)
76
confirmed malicious payloads (Snyk)
up to 80%
attack success rate on frontier models (Skill-Inject study)

And the theory is worse than the audits. A foundational paper published two weeks after launch — "Agent Skills Enable a New Class of Realistic and Trivially Simple Prompt Injections" — argued that the feature is fundamentally hard to secure, precisely because obeying instructions is the whole job. A follow-up measured attack success rates as high as 80% on frontier models, driving behaviors from data exfiltration to ransomware-like actions.

Why "just read it" isn't enough

The obvious defense — read the skill before you install it — helps, but attackers plan for it. Payloads get hidden in code comments, in the middle of long reference files you won't scroll through, or in Unicode characters that render invisibly. A human skim is exactly what these techniques are designed to survive. That's why a category of tooling has grown up to read skills more paranoidly than you can. That's the next chapter.

Chapter 05

Fighting back: skill scanners

So how do I know a skill is safe before I let it run?

If a skill is code you're about to trust, it deserves the same suspicion you'd give any dependency. Skill scanners are static analyzers that read a skill's files before you install them and flag the patterns that betray an attack.

Approach one: read it (static analysis)

The simplest scanners never run the skill. They parse the SKILL.md and any bundled scripts and pattern-match against known danger signals — the tells that separate a helpful skill from a hostile one.

SKILL.md + scripts DETECTORS instruction overrides invisible Unicode secret access (keys, env) outbound / exfil calls dangerous shell commands supply-chain: bad deps verdict safe · risky · block
The scanner pipeline. Static analysis, not execution — the skill is judged on what it says and ships, before it can act.

Approach two: run it (dynamic detonation)

Static analysis has a hard ceiling: it can only judge what it can see. A payload split across several files, buried in Base64, or written to trigger only against one specific model can read as perfectly innocent on the page. The way past that ceiling is to stop reading and start watching — execute the skill inside a sealed sandbox and record what it actually reaches for.

This is detonation. You hand the skill fake credentials (honeytokens) and see whether it tries to steal them; you route its network traffic through a proxy and see where it tries to phone home; you run it against several models at once, because a skill can behave for one and betray another.

Featured · dynamic scanner

SkillTracer by Metano

"Skills lie. We stop that." SkillTracer detonates a skill in an instrumented sandbox against multiple models at once and reports what each one actually did — not what the description claimed. Honeytokens catch credential theft, an egress proxy catches exfiltration, and runtime tracing surfaces the obfuscated and steganographic payloads that reading alone would miss.

credential harvestingdata exfiltrationprompt injectionremote code executionobfuscationexcessive permissionstool poisoningdestructive ops

Every finding is scored twice — a threat rating for intent and an AIVSS-aligned risk rating for potential damage — and mapped to the OWASP Agentic Top 10 and MITRE ATLAS. It scans SKILL.md files today, with MCP servers next.

Scan a skill → Read the write-up

The static scanners

For a fast first pass — or when you simply can't run untrusted code — several static scanners read the files and flag the tells:

Invariant Labs

mcp-scan

The tool Snyk's ToxicSkills study ran (uvx mcp-scan@latest --skills). Scans skills and MCP servers for injection and exfiltration patterns.

Snyk · official

snyk/agent-scan

Supply-chain scanning for agent components, from the security vendor behind the largest public skills audit to date.

SlowMist · official

slowmist-agent-security

A review framework more than a one-click scanner — its stance is "every external input is untrusted until verified."

Community · open source

huifer/skill-security-scan

A Python CLI doing static AST + regex analysis across network, file, command-execution, injection, and dependency risks.

Watch the name
Some scanners carry names that imply an affiliation they don't have — a repo called "claude-skill-antivirus" is not from Anthropic, and self-reported coverage stats ("we scanned 71,000 skills") are marketing until verified. Check who actually publishes a tool before you trust its verdict.

Habits that matter more than any tool

Anthropic's own security guidance is blunt about it: use skills "only from trusted sources — those you created yourself or obtained from Anthropic," and if you must use one from an unknown source, "exercise extreme caution and thoroughly audit it." Their one-line summary is the right instinct — treat installing a skill like installing software. Concretely, that means:

  • Read the SKILL.md yourself — the whole thing, including reference files, not just the description.
  • Prefer trusted sources. A skill from a vendor or a well-reviewed marketplace is not the same risk as a random gist.
  • Run with least privilege. Don't hand an agent your production credentials to try out a formatting skill.
  • Review any bundled scripts as if they were a pull request from a stranger — because that's what they are.
  • Pin versions. A skill that was safe last month can be updated to be hostile this month.
The mental model
Treat a third-party skill exactly like an npm install from an unknown author: convenient, occasionally essential, and never to be trusted on faith. Scanners are your linter; your own judgment is the code review.
Chapter 06

History & where it's going

Where did this come from, and where is it heading?

Agent Skills went from launch to open standard in a matter of months — fast enough that the security research and the feature grew up alongside each other.

October 16, 2025

Agent Skills launch

Anthropic introduces Skills — folders of instructions, scripts, and resources loaded on demand — across Claude.ai, Claude Code, the API, and the Agent SDK, with prebuilt PDF, Word, Excel, and PowerPoint skills.

October 30, 2025

The first alarm

Just two weeks later, researchers publish "Agent Skills Enable a New Class of Realistic and Trivially Simple Prompt Injections," arguing the design is fundamentally hard to secure.

December 18, 2025

Open standard & org management

Anthropic publishes Agent Skills as an open standard for cross-platform portability, adds organization-wide management, and launches a directory of partner-built skills.

Early 2026

The audits arrive

As third-party registries fill up, Snyk and academic teams scan them at scale — tens of thousands of skills — and a class of skill scanners emerges in response.

Where the puck is heading

Because skills are now an open standard, they behave less like one company's feature and more like a package format — and package formats have a well-worn destiny. Expect the same arc software dependencies took: registries, versioning, and, inevitably, signing and provenance. The central tension is baked in from the start — the very shareability that makes skills useful is the thing that makes a poisoned skill spread. The interesting question for the next year isn't whether skills succeed; it's whether the ecosystem grows trust infrastructure (signatures, reputation, vetted registries) faster than attackers industrialize the supply-chain attack.

A skill is the smallest possible unit of "teach an agent something." That is exactly why it's powerful, and exactly why it needs a chain of trust.

The first-principles takeaway

Strip everything away and Agent Skills are a single, clean idea: capabilities as files, loaded lazily. That buys you a growing library of expertise at almost no standing cost — and it hands anyone who can write a file a channel straight into your agent's decisions. Both halves follow from the same design. Understanding one means understanding the other.

Sources

Every figure in this piece traces to one of these. Primary sources first.

Anthropic — announcements & docs

Security research

Scanners