AST v1.0

Agent Skill Threats

A fixed, versioned taxonomy of 10 threat types for auditing skills installable across agentic frameworks. Modeled after OWASP Top 10, the AST catalogs what can go wrong when you give an AI agent access to tools. Every finding is classified by intent — malicious, negligent, or accidental — because the same threat type can appear for very different reasons.

For the full story on why we replaced the two-axis model, read the Build Aloud post: We Rewrote the Security Scoring. Here's Why. →

Per-Finding Intent Classification

Any threat type can appear with any intent. A data exfiltration finding might be malicious (hardcoded C2 server) or negligent (verbose error logging to a public endpoint). Intent is classified per finding, not per threat type.

Malicious

Author deliberately designed this to harm users.

Negligent

Risk is foreseeable but likely unintentional. Author should have known better.

Accidental

Well-meaning capability that could cause harm through normal or off-rails agent use.

The 10 Threat Types

AST-01

Data Exfiltration

Skill sends user data, file contents, conversation context, or system information to external services without clear disclosure. Ranges from undisclosed analytics to piping file contents to unknown servers.

AST-02

Credential Harvesting

Skill accesses secrets, tokens, API keys, SSH keys, or credentials beyond what its stated purpose requires. Ranges from reading one superfluous env var to scraping ~/.ssh and ~/.aws.

AST-03

Persistent Backdoor

Skill installs mechanisms for ongoing unauthorized access — hidden MCP tools, cron jobs, startup scripts, SSH keys, reverse shells, or config modifications that persist after the skill stops running.

AST-04

Context Manipulation

Skill injects hidden instructions, modifies system prompts, or manipulates agent context beyond its stated scope. Includes prompt injection payloads embedded in tool outputs or resource content.

AST-05

Destructive Operations

Skill can delete, overwrite, or corrupt user data, code, or system configurations. Ranges from unguarded file writes to unconditional rm -rf. Damage doesn't require malicious intent.

AST-06

Scope Escalation

Skill expands its own permissions or capabilities at runtime — dynamically importing modules, fetching and executing remote code, modifying its own config, or requesting additional tool access beyond what is declared.

AST-07

Supply Chain Compromise

Skill pulls in compromised dependencies, uses postinstall scripts to execute code, loads packages from non-standard registries, or vendors modified copies of known libraries.

AST-08

Obfuscated Behavior

Skill uses encoding, encryption, string assembly, or dynamic code generation to hide what it actually does. The obfuscation itself is the signal — legitimate code does not need to hide its behavior.

AST-09

Undisclosed Network Activity

Skill makes network connections not documented or necessary for its stated purpose. Distinct from AST-01 in that the transmitted data may not be sensitive — the concern is hidden communication channels that could be exploited.

AST-10

Unbounded Autonomy

Skill enables high-impact actions (purchases, deployments, message sending, destructive operations) without human confirmation gates. Even well-intentioned skills become dangerous when they remove guardrails from agentic workflows.

Scoring Model

Each audit produces three independent 0–100 scores, combined into a single overall exposure number.

Malicious Intent

Binary: 100 if any finding is classified as malicious, 0 otherwise. A single malicious finding is enough.

Inherent Capability

How much damage could this skill do if it went wrong? Captures power independent of intent.

Misuse Surface

How likely is an agent to go off the rails? Weighted toward AST-05 and AST-10.

Overall exposure formula:

maliciousIntent  = 100 if ANY malicious finding, else 0

overallExposure  = maliciousIntent × 1.0
                 + inherentCapability × 0.01
                 + misuseSurface × 0.05

Weighting is deliberately lopsided — detected malice dominates the score completely.

Exposure Tiers

low
0–5
medium
5–20
high
20–50
critical
50–100
Browse Audited Skills →

AST v1.0 — Agent Skill Threats taxonomy. Versioned and documented. A Build Aloud project.