The next worm will propagate through agent skills, mark my words.

Ethical Threat Insight: The Hidden Risk of Agent Skills

Agent skills are ripe for attack. Worst case scenario they open the door to malware running on your computer without your knowledge.

Agent skills are small pieces of code an AI agent can run to take actions outside the chat, like reading files, writing to files, calling APIs, or executing commands.

These are simple markdown files.

They are typically installed alongside your favorite IDE or AI coding platform such as Claude Code, Antigravity, Cursor, VSCode, etc.

They are very easy to install, which makes them extremely convenient, but at a cost.

npx skills add

The problem lies in that there’s no validation of these skills. There’s no evaluation for anything malicious or suspicious in these skills.

So the user, running a skill, could inadvertently infect themselves with whatever the author of the skills can dream up.

security review skill

In the example above, Zack Korman, a Cybersecurity researcher did just that.

He created a skill, that ran a harmless payload as a proof of concept to show the risk.

If you were to install this skill, then run the skill, this payload would have fired.

Now his payload opened a harmless website but it could have easily been a backdoor or some other type of malware and the user would never know.

What to do about this?

Since those X posts, it seems there has been a warning added to his POC agent skill, but the underlying risks have not been addressed yet.

If you’re an IT admin and you work with these tools, please take caution before installing skills. At the very least read them over first before installing them.

If you’re a CIO/CISO, understand that your technical teams are likely using AI coding platforms an they are using skills. Encourage them to share what they are doing and how they are doing it, so you can evaluate the risks together and decide on the safest way to handle this.

Agent skills are great and powerful and allow you to do amazing things. But remember what Uncle Ben told the amazing spider man…

“With great power comes great responsibility.”

🎧 If you want to learn more about the security risks AI presents, listen to this:

Episode 146: What are the Security Implications of AI

Make sure you subscribe on your podcast platform of choice, we release new episodes every Friday.

All the best
Spencer Alessi

PS - If you get value from my newsletter, the single best thing you can do give back is to share it with 1-2 people you think might get value from it. It would mean the world to me if you did. Thank you!!!

Keep Reading

© 2026 Ethical Threat Insights.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv