MCP standardises how agents reach external systems, but Skills decide how that access is used. When the instruction layer is compromised, the agent can orchestrate trusted tools against approved connections in ways the operator did not intend. The risk rises when review, signing, and permission scoping are weak across the whole delegation chain.
Why This Matters for Security Teams
Skills increase risk because they add another delegation layer between an agent’s intent and the tools it can invoke. MCP can standardise the connection, but it does not guarantee that the right action is being taken at runtime. Once a Skill is compromised, mistyped, or overly broad, an otherwise trusted agent can be pushed into actions that fit the protocol but violate the operator’s intent.
This is why current guidance increasingly separates transport trust from action trust. The OWASP Top 10 for Agentic Applications 2026 and the NIST AI Risk Management Framework both point toward runtime governance, not static approval alone. NHIMG’s AI Agents: The New Attack Surface report found that 80% of organisations already report AI agents acting beyond intended scope, which is a useful reminder that delegation failures are not theoretical.
In practice, many security teams encounter Skill abuse only after an agent has already chained trusted tools into an unintended workflow, rather than through intentional pre-production testing.
How It Works in Practice
The operational risk comes from the full delegation chain: MCP exposes a governed tool path, while the Skill defines the instructions, constraints, and sometimes the hidden assumptions that shape how the agent behaves. If the Skill is injected, tampered with, or copied from an unreviewed source, the agent may still use approved credentials and sanctioned endpoints while performing unapproved actions. That is why Skill review has to be treated like code review, policy review, and permission review at the same time.
Security teams usually need three controls working together:
- Scope the agent to the minimum tool set and data set required for the task.
- Sign and version Skills so the runtime can verify provenance before execution.
- Evaluate permissions at request time, using context such as task, user intent, data sensitivity, and destination system.
This aligns with the direction of the CSA MAESTRO agentic AI threat modeling framework and the MITRE ATLAS adversarial AI threat matrix, both of which emphasize how agent behaviour can be shaped, redirected, or escalated through the surrounding control plane. NHIMG’s OWASP Agentic Applications Top 10 also reinforces that prompt and instruction integrity must be governed as a security boundary, not treated as a content problem.
For MCP-connected environments, this means JIT credentials, short-lived tokens, and workload identity should be tied to the specific task rather than the life of the agent. When Skills can silently expand what a trusted tool chain is asked to do, static allowlists become too coarse to stop misuse. These controls tend to break down in high-churn environments where Skills are updated frequently and multiple teams publish tool logic without centralized signing or runtime policy enforcement.
Common Variations and Edge Cases
Tighter Skill governance often increases release overhead, requiring organisations to balance faster agent iteration against stronger assurance. That tradeoff becomes especially visible when teams want to reuse Skills across many agents, because a harmless automation in one workflow can become a privilege-escalation path in another.
There is no universal standard for Skill trust yet, so best practice is evolving. Some environments treat Skills as signed artefacts with mandatory code review, while others rely on policy-as-code gates and human approval for high-risk tool calls. The important distinction is that approval at install time does not equal approval at runtime.
Two edge cases deserve attention. First, agents that combine multiple Skills can create emergent behaviour that no single Skill review would reveal. Second, environments with broad connector access, such as shared tenant integrations or developer sandboxes, can make a compromised Skill look ordinary until it reaches a sensitive system. The Top 10 NHI Issues and AI LLM hijack breach coverage illustrate how quickly trusted automation can be redirected once instruction integrity is lost.
Security teams should therefore review Skills as part of the identity and authorisation surface, not as a UI convenience layer. Where the environment cannot verify provenance, constrain tool scope, and re-evaluate permissions in real time, the Skill becomes the easiest place for an attacker to hide intent.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A-03 | Skills can redirect agent actions through instruction-layer abuse. |
| CSA MAESTRO | M-02 | MAESTRO addresses agent control-plane and delegation risk. |
| NIST AI RMF | AIRMF covers governance for autonomous AI risk and accountability. |
Establish runtime oversight and ownership for agent decisions that invoke external tools.