Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI agent skills and prompt injection by design: what teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9439
Topic starter  

TL;DR: AI agent skills expand the agentic AI attack surface because instructions injected into system prompts can rewrite agent behaviour, access filesystem and network resources, and enable data exfiltration through unreviewed third-party packages, according to Backslash Security. The governance gap is that extensibility now behaves like an identity control plane, not a harmless plugin layer.

NHIMG editorial — based on content published by Backslash Security: Governance and Security for AI Agent Skills

By the numbers:

Questions worth separating out

Q: How should security teams govern AI agent skills in production environments?

A: Security teams should treat agent skills as governed instructions with privileged influence over runtime behaviour.

Q: Why do AI agent skills create more risk than ordinary plugins?

A: They create more risk because they live inside the agent’s instruction path and can alter decisions, not just add features.

Q: What do security teams get wrong about skill marketplaces?

A: They often treat marketplaces as convenience layers rather than supply chain entry points.

Practitioner guidance

  • Inventory every deployed skill and its source Map where skills are installed across IDEs, local workstations, and managed agent environments.
  • Require provenance controls before skill onboarding Block unverified skills, unsigned packages, and any skill with hidden or remote script execution until review is complete.
  • Constrain agent tool reach at the skill boundary Separate skill approval from tool approval so a trusted instruction set cannot automatically inherit filesystem, network, or shell access.

What's in the full article

Backslash Security's full research covers the operational detail this post intentionally leaves for the source:

  • Detailed examples of malicious and manipulated AI skills, including the ClawHavoc campaign and marketplace abuse patterns.
  • The article's breakdown of continuous discovery, risk assessment, and policy enforcement for Skills.md and associated scripts.
  • Operational examples of blocking unverified publishers and removing unapproved skills from developer environments.
  • The source's product workflow for scanning and governing skills across agentic development stacks.

👉 Read Backslash Security's analysis of AI agent skill governance and attack paths →

AI agent skills and prompt injection by design: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8923
 

AI agent skills are becoming an identity trust boundary, not just a developer convenience. The article shows that a skill can sit inside the agent’s decision path and shape what the agent is allowed to do, not merely what it reads. That collapses the old separation between instructions and execution, which is why IAM and NHI teams have to treat skills as governed runtime authority. The practitioner conclusion is simple: the trust model for extensibility now belongs in identity governance.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when a malicious skill exfiltrates code or credentials?

A: Accountability sits with the organisation that approved the skill, the team that granted the agent its reachable tools, and the owners of the workflow where the skill was introduced. Frameworks such as OWASP Agentic AI Top 10 and NIST AI Risk Management Framework help define governance, but the operational answer is clear ownership before deployment.

👉 Read our full editorial: AI agent skills turn the extensibility layer into an identity risk



   
ReplyQuote
Share: