×

Inside the OWASP Agentic Skills Top 10

If the developers in your organization have started using AI agents, they’re probably already extending them with skills to speed up tasks. Installing a new skill can be pretty easy, and within seconds, it can have access to files, APIs, and external systems.

Skills add useful functionality, but they also expand the attack surface. The OWASP Agentic Skills Top 10 (AST10) highlights this, focusing specifically on agentic skills and the security risks that come with how those agents are built and deployed.

Feature image of OWASP logo on SecureFlag background

What Are Agentic Skills?

To understand why the OWASP AST10 is valuable, it helps to first look at how agentic systems are made up. At a high level, AI agents usually consist of three main components:

  • The model that generates responses and makes decisions.

  • Tools that provide the agent with access to systems, including APIs, files, and services. An example of a tool is the Model Context Protocol (MCP). 

  • Skills that define how tools are used to complete a task. 

When a developer installs a skill or plugin for their agent, they’re giving that skill the same access they have, such as their source code, credentials, and production systems. 

As skills have the autonomy to plan multiple steps, use several tools in sequence, store information for later sessions, and make external network calls, they are a worthwhile target for attackers.  

The “Lethal Trifecta”

The AST10 identifies what it calls the “Lethal Trifecta”, which are three conditions that, when present at the same time, create significant risk:

  1. Access to sensitive data, such as SSH keys, API credentials, or session tokens.

  2. Exposure to untrusted content, including skill instructions, memory files, or documents that the agent processes.

  3. The ability to communicate externally, via outbound network calls or webhooks.

Most production agent deployments today meet all three conditions simultaneously, and that’s the main focus of this framework.

Where AST10 Fits Alongside Other Frameworks

OWASP already has frameworks addressing AI security at different levels, and it’s useful to understand how AST10 relates to them.

  • OWASP LLM Top 10 covers risks at the model level, including vulnerabilities such as prompt injection, training data poisoning, and insecure output handling. 

  • OWASP Agentic AI Top 10 (ASI) addresses how agents are directed, use tools, and interact with each other. 

  • AST10 is at the execution level, covering what skills do, how they’re distributed, and how they can be exploited.

A compromised skill can cause damage at every layer, which is precisely why a dedicated framework was needed.

The Top 10 Agentic Skills Risks

1. Malicious Skills

Just as malicious packages are published to npm, attackers can publish harmful skills to AI agent registries. These skills can exfiltrate credentials, modify files, or persist hidden instructions inside memory systems.

For example, the ClawHavoc campaign earlier this year published 1,184 confirmed malicious skills to ClawHub, leading to data theft and backdoor access. 

2. Supply Chain Compromise

Instead of targeting individual skills, attackers can go after how those skills are distributed. It includes tactics such as typosquatting, poisoning skill registries, and hijacking dependencies.

Similar risks have been seen in AI coding environments such as Claude Code, where untrusted project configuration files can execute malicious code just by opening a project. It’s a good example of how supply chain attacks in agentic AI can reach further than expected, with the compromise happening before a developer has done anything obviously risky.

3. Over-Privileged Skills

If users install skills without properly reviewing their access, or if the platform doesn’t provide a way to limit permissions, skills often end up with more access than they need. If a skill is compromised, the impact can be much bigger than expected. An analysis of more than 31,000 skills found that 11.8% had privilege escalation risks. 

4. Insecure Metadata

Skills include metadata to help users decide whether to install them, such as name, description, author, permissions, and risk level. 

The problem is that, if the information isn’t verified or properly signed, malicious actors can easily impersonate trusted brands, exaggerate or hide permissions, or mislabel risk levels to make unsafe skills look legitimate.

5. Unsafe Deserialization

In most cases, skills are defined in configuration files, such as YAML or JSON, which outline what the skill can do and how it behaves. If these files are not properly validated, they can sometimes cause unexpected behavior in the system.

Vulnerabilities in YAML parsing have allowed attackers to turn a configuration file into a way of running code on the underlying system. For example, a vulnerability in PraisonAI demonstrated how this type of issue can lead to remote code execution if unsafe configuration parsing is used.

6. Weak Isolation

When a skill runs with full access to the host machine rather than in a contained environment, a compromised skill can move freely across the entire system.

If a skill is compromised, the impact can be much larger than expected. It may be able to access files, system resources, or other parts of the environment that were never intended for it.

7. Update Drift

Skills are often updated automatically, with no way to control which version is in use. A skill might seem safe at the time of installation, but it can later introduce risk if updates are applied without review or version locking.

Attackers could use the browser to take control of locally running agents, add new devices, and access data through existing integrations. Systems without version locking are especially vulnerable.

8. Poor Scanning

Traditional security scanners look for known patterns or signatures, but agent skills often hide malicious behavior inside natural language instructions instead of code, which can go undetected.  For example, a scanner might find a command in code that sends data to an external server. However, it would not easily recognize a skill that tells an agent to read a file and send its contents to a remote location using built-in system tools. 

9. No Governance

Another issue is that organizations have no visibility into which AI agent tools their employees are using or what skills are installed. Skills are often installed by developers without approval, tracking, or review, creating a “shadow AI” layer that’s outside security processes.

Research from earlier this year suggests that only 34% of enterprises have AI-specific security controls in place. 

10. Cross-Platform Reuse

Skills are often reused across different platforms, but the security controls don’t always carry over. A skill that includes permissions or safeguards in one environment may lose them when it’s moved to another. 

Attackers can take advantage of these differences to reuse or adapt malicious skills across platforms, increasing their reach and impact.

Security Priorities for Development Teams

Many of the risks in AST10 are not entirely new; for instance, over-permissioning, supply chain attacks, and weak isolation have all existed in traditional software. What’s different here is how quickly these risks combine in agentic systems.

There are a few priorities that stand out:

  • Know what’s in use: Keep track of which agent platforms and skills are being used across the organization. Otherwise, it’s difficult to manage risk.

  • Limit permissions wherever possible: Apply the principle of least privilege to skills, especially those that access sensitive data or external systems.

  • Review how skills are installed and updated: Avoid unverified sources, pin versions where possible, and introduce basic review steps before using new skills.

  • Don’t only rely on scanning: Seeing as traditional security scanners aren’t designed to detect natural-language-driven behavior, it’s best to combine scanning with manual review and developer awareness.

  • Move toward containerized execution: Running agent skills without isolation increases the potential impact of a compromised skill.

How SecureFlag Helps Teams Secure Agentic AI Systems

Addressing agentic AI risks needs more than awareness. Developers should have practical experience in recognizing how these issues appear in real scenarios and how to prevent them. 

SecureFlag’s AI security training is designed to support this through hands-on labs and structured learning paths in real development environments. 

This includes dedicated training for:

  • LLM security: Gain practical experience in identifying and reducing LLM-related risks.

  • Agentic AI security: Work through practical labs built around agentic AI and MCP scenarios.

  • Agentic coding: Learn how to securely use AI assistants during coding, review, and remediation, including securing skills. 

For teams who want to get ahead of these risks before they write code, SecureFlag’s ThreatCanvas helps model threats in agentic systems at the design stage, so developers aren’t discovering AST10-style vulnerabilities in production.

The aim is to help teams establish secure practices early so security can keep up as AI becomes more embedded in development.

Book a demo to see SecureFlag’s AI labs in action. 

Continue reading

Introducing Custom Threat Library and Custom Risk Templates on ThreatCanvas
Introducing Custom Threat Library and Custom Risk Templates on ThreatCanvas

Within cybersecurity, nothing stands still for long; organizations are all too familiar with this as...

By SecureFlag, on 27 Feb 2024
Turn Your Codebase Into Hands-On Security Training with Custom Labs
Turn Your Codebase Into Hands-On Security Training with Custom Labs

Traditional security training often relies on generic examples that don’t usually reflect how your teams...

By SecureFlag, on 16 Dec 2025
Secure Coding Training and Threat Modeling for SMBs
Secure Coding Training and Threat Modeling for SMBs

Cybersecurity isn’t just an enterprise problem. In fact, research shows that one in three small...

By SecureFlag, on 14 Apr 2025