Agent Skill Threats
A fixed, versioned taxonomy of 10 threat types for auditing skills installable across agentic frameworks. Modeled after OWASP Top 10, the AST catalogs what can go wrong when you give an AI agent access to tools. Every finding is classified by intent — malicious, negligent, or accidental — because the same threat type can appear for very different reasons.
For the full story on why we replaced the two-axis model, read the Build Aloud post: We Rewrote the Security Scoring. Here's Why. →
Per-Finding Intent Classification
Any threat type can appear with any intent. A data exfiltration finding might be malicious (hardcoded C2 server) or negligent (verbose error logging to a public endpoint). Intent is classified per finding, not per threat type.
Author deliberately designed this to harm users.
Risk is foreseeable but likely unintentional. Author should have known better.
Well-meaning capability that could cause harm through normal or off-rails agent use.
The 10 Threat Types
Data Exfiltration
Skill sends user data, file contents, conversation context, or system information to external services without clear disclosure. Ranges from undisclosed analytics to piping file contents to unknown servers.
Credential Harvesting
Skill accesses secrets, tokens, API keys, SSH keys, or credentials beyond what its stated purpose requires. Ranges from reading one superfluous env var to scraping ~/.ssh and ~/.aws.
Persistent Backdoor
Skill installs mechanisms for ongoing unauthorized access — hidden MCP tools, cron jobs, startup scripts, SSH keys, reverse shells, or config modifications that persist after the skill stops running.
Context Manipulation
Skill injects hidden instructions, modifies system prompts, or manipulates agent context beyond its stated scope. Includes prompt injection payloads embedded in tool outputs or resource content.
Destructive Operations
Skill can delete, overwrite, or corrupt user data, code, or system configurations. Ranges from unguarded file writes to unconditional rm -rf. Damage doesn't require malicious intent.
Scope Escalation
Skill expands its own permissions or capabilities at runtime — dynamically importing modules, fetching and executing remote code, modifying its own config, or requesting additional tool access beyond what is declared.
Supply Chain Compromise
Skill pulls in compromised dependencies, uses postinstall scripts to execute code, loads packages from non-standard registries, or vendors modified copies of known libraries.
Obfuscated Behavior
Skill uses encoding, encryption, string assembly, or dynamic code generation to hide what it actually does. The obfuscation itself is the signal — legitimate code does not need to hide its behavior.
Undisclosed Network Activity
Skill makes network connections not documented or necessary for its stated purpose. Distinct from AST-01 in that the transmitted data may not be sensitive — the concern is hidden communication channels that could be exploited.
Unbounded Autonomy
Skill enables high-impact actions (purchases, deployments, message sending, destructive operations) without human confirmation gates. Even well-intentioned skills become dangerous when they remove guardrails from agentic workflows.
Scoring Model
Each audit produces three independent 0–100 scores, combined into a single overall exposure number.
Binary: 100 if any finding is classified as malicious, 0 otherwise. A single malicious finding is enough.
How much damage could this skill do if it went wrong? Captures power independent of intent.
How likely is an agent to go off the rails? Weighted toward AST-05 and AST-10.
Overall exposure formula:
maliciousIntent = 100 if ANY malicious finding, else 0
overallExposure = maliciousIntent × 1.0
+ inherentCapability × 0.01
+ misuseSurface × 0.05Weighting is deliberately lopsided — detected malice dominates the score completely.
Exposure Tiers
AST v1.0 — Agent Skill Threats taxonomy. Versioned and documented. A Build Aloud project.