AI Agents and the Expanding Cybersecurity Frontier: Navigating the Risks of Skill-Based Attack Surfaces
The rapid adoption of AI agents has introduced a new dimension to cybersecurity, transforming the attack surface from traditional codebases to natural language text. These agents, which leverage skills—text-based instructions enabling multi-step tasks—pose unique risks as researchers uncover vulnerabilities in their deployment and execution. This evolution demands a reevaluation of security strategies to address the semantic and procedural complexities of AI-driven systems.

The Rise of Skill-Based Attack Vectors
AI agents function by interpreting and executing skills, which are typically defined in files like SKILL.md. These skills act as text-based prompts, guiding agents to perform tasks ranging from code reviews to data analysis. However, this reliance on natural language introduces a critical vulnerability: prompt injection. Researchers have demonstrated that malicious actors can manipulate these skills to alter an agent’s behavior, often without direct code-level access.
Soheil Feizi, a computer science professor at the University of Maryland and founder of RELAI.ai, highlights the dual nature of this risk: “Skills are not just code. they are text instructions that can be weaponized. The ability to inject adversarial prompts through these channels creates a new, expansive attack surface.”
Quantifying the Threat: Snyk’s 2026 Findings
A 2026 report by cybersecurity firm Snyk revealed alarming statistics about the security of AI skill registries. Of the 3,984 skills analyzed across platforms like ClawHub and skills.sh, 13.4% contained critical vulnerabilities, including malware distribution, prompt injection risks, and exposed secrets. This finding underscores the urgency of addressing security gaps in skill registries, which are often treated as trusted repositories.
“The problem isn’t just the skills themselves but how they are discovered, selected, and vetted,” says Feizi. “Adversaries can exploit semantic nuances in skill descriptions to manipulate agent behavior, bypassing traditional security checks.”
Breaking Down the Attack: Semantic Supply-Chain Risks
In a preprint paper titled Under the Hood of SKILL.md: Semantic Supply-Chain Attacks on AI Agent Skill Registry, Feizi and colleagues at the University of Maryland demonstrate how attackers can manipulate skill registries. Their research shows that:
- Short, 20-token triggers can influence how agents discover and select skills, with 86% of tests favoring malicious over legitimate options.
- Attackers can evade detection by “overflowing” the context window of scanners, hiding malicious instructions beyond the 10,000-character limit used by platforms like ClawHub.
- Traditional security tools, which focus on code, often fail to detect risks embedded in text-based skill descriptions.
“This work reveals that natural-language specifications must be treated as security-sensitive objects,” Feizi emphasizes. “Protecting agents requires rethinking how skill registries, ranking mechanisms, and governance pipelines are designed.”
Implications for Cybersecurity Strategy
The findings have significant implications for organizations deploying AI agents. Key recommendations include:

- Enhanced Skill Vetting: Implement rigorous checks for semantic anomalies in skill descriptions, beyond code-scanning tools.
- Contextual Monitoring: Track how agents interact with third-party skills, particularly those automatically fetched based on task relevance.
- Agent-Level Defenses: Develop safeguards to detect and mitigate prompt injection, such as limiting the influence of external prompts on agent behavior.
As AI systems become more autonomous, cybersecurity teams must adopt a proactive approach, treating natural language as a critical component of their defense strategy.
Looking Ahead: A Call for Industry Collaboration
The research by Feizi and his team serves as a wake-up call for the AI and cybersecurity communities. With the proliferation of open-source AI models and decentralized skill registries, the need for standardized security practices has never been greater. Organizations must prioritize transparency, collaboration, and innovation to mitigate risks while harnessing the benefits of AI agents.
“This is not just a technical challenge but a systemic one,” says Feizi. “We need to encourage more careful design of skill ecosystems to ensure they are resilient against evolving threats.”