ATR-2026-00122highSkill Compromiseexperimental

Weaponized Skill — Agent as Attack Tool

Detects skills that weaponize AI agents for offensive operations. Cato Networks demonstrated deploying MedusaLocker ransomware via a modified Claude skill (Dec 2025, disclosed to Anthropic Oct 30, 2025). The "consent gap" allows approved skills to download/execute code, read env vars, and write files without further prompts. arXiv 2601.17548 documents attack tooling embedded in skills with 41-84% success rates. Real examples include SQLMap workflows, Metasploit payloads, and credential brute-force tools found on skills.sh and ClawHub.

Severity

high

Response Actions

alertalert

References

OWASP Agentic

ASI05:2026 - Unexpected Code ExecutionASI01:2026 - Agent Goal Hijack

OWASP LLM

LLM06:2025 - Excessive Agency

View full YAML on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain Attack ATR-2026-00120criticalSKILL.md Prompt Injection ATR-2026-00121criticalMalicious Code in Skill Package ATR-2026-00123highOver-Privileged Skill — Excessive Permissions ATR-2026-00124highSkill Squatting / Typosquatting