Skills like skills.sh (tiny text “how-to” files that steer an agent toward a task) feel harmless because they’re just instructions.
But that’s exactly why they can become an attack vector.
A skill file is basically executable intent:
- it sets the agent’s assumptions (“trust this source”)
- it defines the workflow (“run these steps”)
- it can nudge boundaries (“skip confirmations”, “always do X”)
The tricky part is: this attack doesn’t have to come from external prompt injection at all.
Skills often live inside your environment (repo, dotfiles, shared templates, internal skill packs). If a malicious or compromised skill gets into that internal distribution path, it arrives with a “trusted” label by default.