TL;DR: AI agent Skills package instructions, scripts, and tool usage into reusable modules, but Backslash Security notes they also expand the attack surface through prompt injection by design and supply chain abuse. That makes governance, review, and guardrails more important than the workflow format itself.
At a glance
What this is: This is an analysis of AI Agent Skills as modular workflow packages and the security risks they introduce when agents load high-priority instructions and helper scripts at runtime.
Why it matters: It matters because teams now have to govern not just prompts and tools, but the identity, privilege, and execution boundaries around AI agents, MCP-connected systems, and the workflows they are allowed to invoke.
👉 Read Backslash Security's analysis of AI agent Skills and modular workflow risk
Context
AI agent Skills are reusable instruction packages that tell an agent how to perform a task, which standards to follow, and when to invoke helper scripts. The governance problem is that those packages can become privileged runtime inputs, not just documentation, so identity and access controls have to account for how instructions, tools, and execution are combined.
For IAM and security teams, the important question is not whether Skills are convenient, but whether the organisation can review, sign, inventory, and constrain the capabilities they expose. That becomes a Non-Human Identity problem when Skills carry filesystem, shell, or API access through the agent that loads them.
Key questions
Q: What breaks when AI agent Skills are not reviewed like privileged code?
A: Unreviewed Skills can redirect an agent’s tool use, data access, and command execution through instructions that appear routine. That creates a trust gap where users think they are adopting a workflow helper, while the actual execution path may include hidden privileged actions. Governance has to cover content provenance, change control, and runtime permissions together.
Q: Why do AI agent Skills increase risk in MCP-connected environments?
A: MCP standardises how agents reach external systems, but Skills decide how that access is used. When the instruction layer is compromised, the agent can orchestrate trusted tools against approved connections in ways the operator did not intend. The risk rises when review, signing, and permission scoping are weak across the whole delegation chain.
Q: How do security teams know whether a Skill is operating outside its intended boundary?
A: Look for unexpected tool calls, commands that were not part of the approved workflow, unusual access to secrets or files, and divergence between the user request and the agent’s executed steps. If the workflow can trigger actions the owner did not explicitly authorise, the Skill boundary is not well controlled.
Q: Should organisations treat Skills as a new class of non-human identity control?
A: Yes. Once a Skill can influence an agent that has access to files, shells, or APIs, the real governance problem is no longer just text quality. It is how a reusable instruction package inherits, extends, or abuses the privileges of the agent that loads it, which makes lifecycle, review, and access scoping essential.
Technical breakdown
How AI agent Skills change the runtime trust model
Skills are lightweight instruction bundles, usually a folder with a SKILL.md file plus optional scripts or templates. Unlike fine-tuning, they do not change model weights. Instead, they are loaded into the agent context as high-priority instructions when the task is relevant. That makes them closer to privileged runtime policy than static documentation. The security issue is not simply that the text can be misleading. It is that the agent may treat the content as authoritative enough to alter tool choice, command execution, and data access during the session.
Practical implication: treat Skills as governed runtime artefacts, not informal content files.
Prompt injection by design in SKILL.md files
When a Skill can override or steer the agent’s execution logic, a malicious or compromised SKILL.md can act as a prompt injection vector with operational impact. Backslash Security describes the risk as prompt injection by design because the instructions are meant to be consumed at a high priority. If the agent also has access to shell, filesystem, or network resources, the issue moves from text manipulation to action manipulation. In other words, the danger is not only what the model says, but what the model is allowed to do after reading the instruction set.
Practical implication: subject Skill content to the same review discipline as code and privileged configuration.
Skills, MCP, and delegated tool access
Skills often sit above or beside MCP-connected tools, providing the judgment layer that decides when to invoke them. MCP standardises access to systems and data, while Skills describe how an agent should use that access. That creates a delegation chain: the agent reads a Skill, interprets the workflow, and then calls external tools with whatever permissions are already available. If the chain lacks signing, approval, or package integrity controls, a malicious Skill can orchestrate trusted tools to move from guidance to execution without an obvious control break in the middle.
Practical implication: govern the full delegation chain, not just the external tool interface.
Threat narrative
Attacker objective: The attacker aims to turn a legitimate AI agent workflow into a trusted execution path for data theft, credential harvesting, or command execution.
- Entry occurs when a malicious or compromised Skill package is loaded into the agent’s workflow as a trusted instruction source.
- Credential access or abuse follows when the Skill steers the agent toward filesystem, shell, API, or MCP-connected resources already available to that identity.
- Impact occurs when the agent executes hostile workflow steps such as credential harvesting, data exfiltration, or remote command activity under trusted permissions.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Skills governance is becoming identity governance, not just prompt governance. A Skill is not a harmless instruction file once it can direct a runtime agent with filesystem, shell, or API access. That shifts the control problem from content review alone to lifecycle, approval, and privilege management across the agent’s execution context. Practitioners should read Skills as governed identity artefacts, not just workflow convenience.
Prompt injection by design is the right failure mode to name. The vulnerability is not that an attacker can merely confuse the model. It is that a high-priority instruction package can rewrite how privileged tool use is selected and executed. That is a control-plane problem for agentic systems, and it sits squarely in the overlap of OWASP Agentic AI Top 10 thinking and NHI governance.
Skill supply chains now mirror the worst parts of package management and secrets exposure. The article’s own warning about missing review, signing, and lockfiles points to a familiar governance failure pattern: trust is being extended to distributed artefacts without adequate provenance controls. The practical conclusion is that modular agent workflows need the same scrutiny that software supply chains now require.
The agentic workflow layer is where least privilege starts to blur. Skills let organisations package specialised instructions once and reuse them across tools, but reuse also broadens blast radius if the packaged instructions are compromised. That makes the issue less about one bad file and more about the way privileges travel with reusable workflow definitions. Practitioners should treat the workflow layer as part of the identity boundary.
Modular AI workflows expose a new control gap between human intent and machine execution. The user thinks they are asking for a task, but the agent may be executing a hidden sequence of tool calls embedded in the Skill. That gap matters because accountability, review, and approval may exist on paper while the actual action path is assembled at runtime. Security teams should govern the action path, not only the request text.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For practitioners formalising this control layer, see OWASP Agentic AI Top 10 for the adjacent agent-risk model that helps frame Skill abuse and tool misuse.
What this signals
Prompt injection by design is becoming a practical governance label for agent workflow packages that can override execution decisions at runtime. The control question is no longer whether the instruction text is clear, but whether the organisation can prove provenance, approval, and revocation for every Skill that can influence a privileged agent.
The security programme should assume that reusable AI workflows will behave like distributed identity artefacts, not static playbooks. Once a Skill can steer tool calls, the boundary between configuration drift and access drift disappears, which is why teams should align Skill governance with OWASP Agentic AI Top 10 and internal approval workflows.
With 43% of security professionals already concerned about AI systems learning and reproducing sensitive information patterns from codebases, per The State of Secrets in AppSec, the operational signal is clear: agent governance must cover both what the model sees and what it is allowed to execute.
For practitioners
- Inventory every Skill package Catalog where Skills are stored, who can modify them, and which agents or environments can load them. Include project, personal, and system-level locations in the review so ownership and approval boundaries are explicit.
- Require provenance and change control Put Skills under the same control plane as code or infrastructure definitions by requiring review, signing, and version tracking before they can be used in production workflows.
- Separate instruction from execution access Limit which agents can invoke local scripts, shells, or external APIs, and ensure the Skill itself cannot expand those permissions beyond what the underlying identity already has.
- Scan Skill content for hostile directives Inspect SKILL.md files and helper resources for prompt injection patterns, unsafe command sequencing, and hidden data-exfiltration steps before any package is published or shared.
Key takeaways
- AI agent Skills turn reusable workflow content into a runtime governance problem because they can steer privileged tool use at execution time.
- The main failure mode is prompt injection by design, where compromised Skill content can redirect agents toward unsafe actions, data exposure, or command execution.
- Security teams should govern Skills with provenance, signing, change control, and scoped permissions so the workflow layer does not become an uncontrolled identity boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-03 | Skills can alter agent tool use and execution paths at runtime. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Compromised Skills can expose or misuse secrets through agent workflows. |
| NIST CSF 2.0 | PR.AC-4 | Access scope and delegated execution are central to Skill abuse risk. |
Map agent Skill permissions to least-privilege access reviews and revoke excess capability quickly.
Key terms
- Agent Skill: A modular instruction package that tells an AI agent how to perform a specific task, which standards to follow, and which tools or helper resources to use. In practice, it behaves like a reusable runtime policy object, so its content and provenance matter as much as its convenience.
- Prompt Injection by Design: A failure mode where instructions that were meant to guide an AI system can be abused to override or redirect behaviour during execution. In agentic workflows, the risk becomes operational when the injected content can influence tool choice, command use, or access to sensitive data.
- Delegation Chain: The sequence through which authority moves from a person or system into an agent, then into tools, scripts, or downstream services. The chain matters because a weakness in any link can expand privileges beyond the original intent and make accountability harder to trace.
- Runtime Trust Boundary: The point at which an AI agent decides what instructions, tools, and data sources it will trust during a live session. When that boundary is weak, reusable workflow content can shape real actions rather than remain harmless documentation.
What's in the full article
Backslash Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The article walks through the Skill directory structure, including SKILL.md metadata and optional helper resources, so teams can map package components to governance controls.
- It explains static versus dynamic Skills and how execution differs when scripts are invoked at runtime, which is useful for implementation planning.
- It outlines practical installation and portability patterns across common AI tools, which helps teams understand where governance needs to follow the workflow.
- It includes Backslash's own scanner and security framing for SKILL.md review, which is relevant if you are evaluating controls rather than the concept alone.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org