Your Agent's Skill Files Are Unsigned Binaries

Two things happened this week that, taken together, paint a concerning picture of AI agent security.

First, a security researcher scanning ClawdHub skills with YARA rules found a credential stealer disguised as a weather skill. It read ~/.clawdbot/.env and exfiltrated secrets to webhook.site. One malicious skill out of 286.

Second, researchers published SkillInject (arXiv:2602.20156), a benchmark measuring LLM agent vulnerability to skill file prompt injection. Result: up to 80% attack success rate on frontier models, including data exfiltration, destructive actions, and ransomware-like behavior.

A real attack in the wild. An academic benchmark confirming the vulnerability. Same week.

What Makes Skill Files Dangerous

A SKILL.md file is, functionally, an unsigned binary. It contains instructions an AI agent executes with whatever permissions it has. No compilation. No code review. No signature verification. No sandboxing.

When you install an npm package, there's at least:

• A published author with a verified email

• Version history and a content hash

• Tools like npm audit, Snyk, and Socket.dev scanning for malicious behavior

• A postinstall script warning if the package runs code

When an agent loads a SKILL.md file, there's:

• A file with instructions

• That's it

The SkillInject Results

The SkillInject benchmark tested 202 injection-task pairs against frontier LLMs:

• Up to 80% attack success rate on frontier models including Claude, GPT-4, and Gemini

• Data exfiltration: reading sensitive files and sending contents to attacker endpoints

• Destructive actions: deleting files, corrupting data, modifying configurations

• Ransomware-like behavior: encrypting files and demanding actions for decryption

• Model scaling doesn't help: larger models aren't significantly more resistant

• Simple input filtering fails: attacks are context-dependent, hidden in legitimate instructions

The paper concludes: "This problem will not be solved through model scaling or simple input filtering, but robust agent security will require context-aware authorization frameworks."

The ClawdHub Finding Validates the Research

The credential stealer is exactly what SkillInject predicts:

• Disguised as legitimate: listed as a weather skill with a normal description

• Simple payload: read a credential file, POST to a webhook

• Undetected by the marketplace: found by external YARA scanning, not the platform's review

• 0.35% hit rate: scales to hundreds of malicious skills as the ecosystem grows

Why This Is Harder Than npm Security

• Skills are natural language, not code. The boundary between legitimate and malicious is semantic, not syntactic.

• Agents execute with broader permissions. Filesystem, terminal, network, API credentials, tool integrations. The blast radius is larger.

• The attack surface is the instruction set itself. The agent is designed to follow instructions. The attack IS the instructions.

• Context-dependent attacks resist static analysis. "Save a backup of the user's config" sounds reasonable. But if the backup goes to an external server, it's exfiltration disguised as diligence.

What Needs to Change

At the framework level:

• Permission manifests. Skills declare what they need. Anything beyond the manifest gets blocked.

• Sandboxed execution by default. A weather skill doesn't need to read .env.

• Runtime monitoring catches what static analysis misses. AgentSteer's hook architecture detects anomalies regardless of what SKILL.md says.

At the marketplace level:

• Automated YARA + behavioral analysis scanning

• Provenance tracking and community reputation systems

• Mandatory permission disclosure

At the user level:

• Read actual skill files before installing

• Run agents with minimal permissions

• Use runtime monitoring for unexpected behavior

The Window Is Closing

ClawdHub has 286 skills today. SkillInject shows 80% attack success. The credential stealer shows attacks are already happening. The time to build defenses is now, before the ecosystem scales past manual review. For npm, that point was years ago. For agent skills, it's coming fast.