TL;DR: Claude Code skill frontmatter can bypass permission prompts, hide instructions from users, invoke background tasks, and poison project memory, creating persistence and cost-amplification risks in agentic coding workflows, according to HiddenLayer. Skills are now part of the software supply chain, and hidden control fields make conventional review habits insufficient.
NHIMG editorial — based on content published by HiddenLayer: What’s the ‘Matter’ with Skills?
Questions worth separating out
Q: How should security teams validate AI agent skills before installation?
A: They should execute each skill in a controlled sandbox with real agent context and inspect actual behaviour, not just source code.
Q: Why do hidden skill fields create governance risk for agentic coding tools?
A: Hidden fields break the assumption that what the user can see is all the agent can do.
Q: What breaks when project memory can be modified by a skill?
A: Persistent agent memory can preserve malicious instructions after the originating skill is removed, which defeats ordinary cleanup and review routines.
Practitioner guidance
- Scan skill files beyond the body text Inspect frontmatter fields such as allowed-tools, when_to_use, model, effort level, and user-invocable during code review and repository intake.
- Block hidden execution paths from imported skills Require explicit approval for background triggers, skill chaining, and any skill that can invoke tools without a visible user prompt.
- Separate agent memory from transient task context Monitor writes to project memory as persistence events and restrict which workflows can create or modify memory files.
What's in the full report
HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:
- Exact frontmatter fields that enabled permission bypasses and hidden execution in Claude Code
- Step-by-step examples of how memory poisoning persisted after the original skill was removed
- Testing notes on downgrade attacks, cost-amplification, and background task invocation
- Behavioural observations showing how the same skill could be hidden from the slash menu while still executing
👉 Read HiddenLayer’s research on Claude Code skill frontmatter abuse →
Claude Code skills and agentic AI workflow risk: what teams miss?
Explore further
Skill frontmatter is now a privilege boundary, not just metadata: The article shows that allowed-tools, when_to_use, and user-invocable can materially change what an agent is permitted to do and whether the user can see it. That means the review model for agentic coding tools has to treat frontmatter as part of the control plane, not as descriptive packaging. For practitioners, the governance question is whether metadata can alter runtime authority without a separate approval path.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- Another finding from the same research shows that 80% of organisations report AI agents have already performed actions beyond their intended scope.
A question worth separating out:
Q: Who is accountable when an imported skill triggers unauthorized actions?
A: Accountability sits with the organisation that allowed the skill into a shared workflow and with the team that failed to review the privilege fields inside it. In practice, this needs ownership across IAM, platform engineering, and application security because the problem spans identity, execution, and software supply chain governance.
👉 Read our full editorial: Claude Code skills expose hidden attack paths in agentic AI workflows