AI Skills as an Emerging Attack Surface in Critical Sectors: Enhanced Capabilities, New Risks

An AI skill is an artifact that represents a hybrid knowledge format, combining human-readable text with instructions that large language models (LLMs) can interpret and execute. AI skills encapsulate everything, from elements like human expertise, workflows, and operational constraints, to decision logic. By capturing this knowledge into something executable, AI skills enable organizations to achieve scalability and knowledge transfer at previously unattainable levels.

Anthropic, the developer of the Claude family of LLMs, formally refers to AI skills as Agent Skills and defines them as “organized folders of instructions, scripts, and resources that agents can discover and load dynamically to perform better at specific tasks.” Aside from Anthropic’s Agent Skills, examples of skills provided by well-known AI platforms include GPT Actions by OpenAI and Copilot Plugins by Microsoft.

Figure 1. An example of a Claude skill for handling weekly updates automation in Atlassian Confluence group meeting minutes

An emerging blind spot

The wide adoption of AI skills also bears significant impact on the security posture and defense capabilities of many organizations, especially in cases of “shadow AI,” where AI tools are used within an organization without formal approval or oversight. For example, wider adoption of AI automation, as with any automation, could make organizational automated responses more predictable to attackers. By gaining access to an organization’s AI automation corpus, attackers can recreate it in a sandbox environment and use this environment to test their detection evasion techniques before using them on a targeted organization.

Many of today’s security defense tools lack the capabilities to effectively detect, analyze, and mitigate threats from unstructured text data, which AI skills are. The recent popularity of OpenClaw (aka ClawBot or MoltBot) and the security issues that brought it to wide adoption constitute a good example of the associated risks and blind spots. To address such issues, AI security solutions must be capable of comprehending the semantical content of the AI skill corpus.

AI skills represent a significant boost in how organizations can leverage AI across different critical sectors. In this section, we discuss the advantages they offer in different sectors and examine the implications of domain-specific skills publicly available today.

Knowledge preservation and digital twins creation

Modern AI environments enable preservation of institutional knowledge in executable and operationally useful forms. AI skills further amplify this ability. Because skills can capture expertise, skills can be combined to create virtual personalities, which in turn can be synthesized into digital twins that simulate the behavior, tasks, and approaches of human specialists.

This capability provides substantial advantages, including:

• Accelerated knowledge transfer for critical business processes.
• Streamlined onboarding of new team members.
• Minimized impact of expertise loss when personnel leave an organization.
• Scalable automation of previously manual or expert-driven workflows.

AI skills adoption in critical industries

As we’ve established, skills add to the AI functionality of knowledge preservation and transfer, which, if honed for specific critical industries, can significantly simplify automatization for more focused business processes.

Over the coming months, we anticipate the development and acceleration of skills for key critical verticals. Today, we already observe a variety of skills for the following sectors:

• Financial services: automation for market analysis, investments and trading
• Technology, media, and communication: skills that leverage content generation (e.g., web assets and media), optimization, and analysis
• Industrial, energy, and manufacturing: skills for computational materials science and numerical simulation workflows
• Healthcare and life sciences: synthetic healthcare data generation
• Public sector: a variety of options for skills that allow for faster, more accurate service delivery and improved customer experience (e.g., providing assistance in filling out and verifying documents and forms, calculating statistics and metrics, and answering standard questions)

Public exposure of AI skills

When we examine these domain-specific AI skills more closely, potential drawbacks become more apparent.

The threat of unintended exposure is not theoretical.

Public GitHub repositories already host domain-specific skills that expose sensitive operational parameters. For example, the “Awesome Claude Skills” collection catalogs hundreds of community-built skills spanning multiple industries, including:

• Financial trading skills containing hard-coded risk thresholds, position limits, and circuit-breaker configurations.
• Healthcare simulation skills encoding clinical decision logic.
• Materials science skills containing proprietary and simulation parameters.
• Marketing automation skills with campaign strategies and audience-targeting logic.
• Security operations skills documenting detection methodologies and response playbooks.

For example, as seen in Figure 2, a cryptocurrency trading skill publicly exposes circuit breaker thresholds, allowing attackers to craft trades specifically designed to evade automated risk controls.

Figure 2. A screenshot of a cryptocurrency trading skill that publicly exposes circuit breaker thresholds

Similar exposure patterns exist across other verticals where skills encode operational decision boundaries.

In short, AI skills adoption spans multiple critical sectors, but each sector presents unique security implications, as summarized in Table 1.

Table 1. AI skills adoption and its security implications across critical sectors

The emerging exposure patterns highlight the need to examine the broader threat model and attack vectors introduced by AI skills.

AI skills as an unconventional attack surface

AI skills represent an underestimated attack surface.

In essence, LLM skills are a form of knowledge preservation. This capability can produce both highly beneficial and potentially harmful outcomes.

Among the positives:

• Domain-knowledge analysts can distill their knowledge into shareable “skills,” enabling others (possibly less-experienced engineers in that domain) to reuse these capabilities in their own workflows. This makes the knowledge more widely available and accessible across the organization.
• Skills can automate processes, such as in security monitoring, where AI-enabled security operations centers (SOCs) automate monitoring and initial triage.

However, these same advantages introduce new risks. AI skills expand an organization’s attack surface. Attackers will choose to seek out vulnerabilities not only in the underlying components that AI skills depend on but also in the skill logic itself.

Moreover, an AI skill is itself a form of proprietary data. Skills might contain sensitive operational information, such as thresholds and triggers an organization uses in its processes or an organization’s handling procedures for sensitive data. Risks become apparent in all major critical industries. Knowledge about thresholds, for example, can be leveraged to manipulate the severity of notifications or exploit decision-making logic.

If an attacker gains access to the logic behind a skill, it can give them substantial opportunity for exploitation. An attacker might also simply decide to trade or leak acquired data, thus exposing sensitive organizational information. The risks for these attack scenarios are particularly acute for AI-enabled SOCs.

SOC-specific implications and injection attack vectors

SOCs face unique risks when integrating AI skills into their processes. Attackers can analyze scenarios within an AI skill and attempt to exploit its execution logic. The core challenge lies in the fact that skills inherently introduce a heightened risk for injection-based attack vectors.

AI skills mix user-supplied data with user-supplied instructions, and skill definitions might also mix both data and instructions and can reference external data sources. This combination of data and executable logic creates an ambiguity, which in turn makes it difficult for defense tools — and even the AI engine itself — to safely differentiate between genuine analyst instructions and attacker-supplied content. Hence, the inability to defend against injection attacks.

As a result, AI skills become susceptible to AI-native injection attacks mirroring classic exploitation attacks, like SQL injection, but in the context of an AI engine. AI skills inadvertently create conditions for AI variants of traditional injection attacks, where malicious content can manipulate LLM execution logic.

Escalation path: From tactical to strategic

Unauthorized access to AI skills leads to a dangerous escalation path.

When collected systematically by a malicious attacker, AI skills can reveal critical organizational business processes that reveal sensitive insights into how an enterprise operates, makes decisions, and defends itself.

The more AI skills attackers compromise, the more advantages they gain:

• One or two skills provide tactical advantage (e.g., identifying specific detection blind spots)
• Over 20 skills enable strategic modeling (e.g., provide a complete understanding of SOC priorities)
• A complete skill set enables full behavioral prediction and digital twin creation (e.g., construction of digital twins of security analysts)

The cumulative impact of such breach grows exponentially.

Once AI skills have been compromised, attackers retain long-term knowledge into an organization’s security posture, which is unlikely to change much over time. Preventing unauthorized access to AI skills is therefore essential to eliminate this entire escalation path.

It’s clear that organizations must proactively prevent skill-related risks as they embed skills into their processes. In this section, we outline measures to safeguard the use of AI skills and ensure that the benefits of adoption do not come at the cost of security.

Kill chain model for AI skill compromise

Traditional kill chains inadequately address AI skill–based attacks. Traditional kill chain models, designed for threats like network intrusion, malware, or credential compromise, do not fully encompass the unique characteristics of AI skill–based attacks.

To address this gap, we propose an eight-phase kill chain model, illustrated in Figure 3, which is specifically tailored to AI skill compromise by reflecting the full life cycle of how adversaries can discover, exploit, and leverage skills to achieve both tactical and strategic objectives.

Figure 3. Eight-phase kill chain model tailored to AI skill compromise

Detection and response framework

To complement the eight-phase kill chain, we also outline key indicators and mitigations of AI skill compromise. Our detection architecture and response framework are designed to guide organizations in detecting suspicious activity early and responding quickly to emerging threat scenarios.

Detection opportunities

Organizations should monitor for multiple complementary signals, each indicative of a different stage or technique in the compromise life cycle, as outlined in Table 2. Together, these signals form a comprehensive early-warning system for AI-driven threats.

Table 2. Indicators for detecting AI skill compromise

Recommended detection architecture

We propose the multilayered detection architecture outlined in Table 3, which is aligned with the our eight-phase kill chain.

Table 3. Multilayered detection architecture aligned with the eight-phase kill chain

Phase-aligned mitigations

To further operationalize the guidance in this model, we map concrete mitigation strategies directly to each phase of our proposed kill chain, as outlined in Table 4.

Table 4. Mitigations mapped to the eight-phase kill chain

Security principles for safeguarding AI skills

Beyond the technical mitigations we have outlined, organizations should revisit established security best practices and apply them to the integration and management of AI skills.

Here are tested principles to apply throughout the AI skill life cycle:

• Treat skills as sensitive intellectual property. Apply risk assessment and mitigation procedures throughout the entire life cycle. Implement proper access control, versioning, and change management. Enable appropriate access controls through proper classification and labeling.
• Separate instructions from untrusted data. Many skills operate on user-supplied data, creating exploitation opportunities. Maintain clear separation between skill logic, skill data, and untrusted external data.
• Constrain execution privileges. Apply least-privilege principles when designing skills. Limit execution context to minimum required permissions to prevent lateral movement during compromise.
• Validate against adversarial scenarios. Understand the organization’s attack surface. Test how malicious users might exploit skill operational logic before deployment.
• Implement comprehensive monitoring. Monitoring, logging, and auditing are critical for the secure operation of any business process, especially AI-enabled environments where traditional security boundaries blur.