OWASP — Agentic Skills Top 10: First Security Framework for AI Agent Skill Ecosystems
AI relevance: OWASP released the Agentic Skills Top 10 (AST10), the first comprehensive security framework covering AI agent skill ecosystems across OpenClaw, Claude Code, Cursor/Codex, and VS Code—after finding 36.82% of 3,984 scanned skills contained security flaws and 13.4% had critical vulnerabilities, with 76+ confirmed malicious payloads already deployed.
What Happened
- OWASP launched the Agentic Skills Top 10 (AST10) project, documenting the 10 most critical security risks in agentic AI skills with evidence-based mitigations across all major AI agent platforms.
- The framework covers skill ecosystems for OpenClaw (SKILL.md YAML), Claude Code (skill.json), Cursor/Codex (manifest.json), and VS Code (package.json)—the behavior layer that translates AI capabilities into real-world actions.
- 2026 statistics from the project's initial scan of 3,984 skills across registries: 36.82% contained security flaws, 13.4% had critical vulnerabilities, 76+ confirmed malicious payloads were found, and the ClawHavoc campaign alone deployed 1,184 malicious skills.
- The top risks include: AST01 Malicious Skills (Critical), AST02 Supply Chain Compromise (Critical), AST03 Over-Privileged Skills (High), AST04 Insecure Metadata (High), AST05 Untrusted External Instructions (High), AST06 Weak Isolation (High), AST07 Update Drift (Medium), AST08 Poor Scanning (Medium), AST09 No Governance (Medium), AST10 Cross-Platform Reuse (Medium).
- The project maps to CSA's MAESTRO 7-layer threat model and references real-world incidents: Antiy CERT's ClawHavoc campaign (Feb 2026), Snyk ToxicSkills registry poisoning (Feb 2026), Check Point's Claude Code RCE (CVE-2025-59536/21852), and Oasis Security's WebSocket hijacking (CVE-2026-28363).
- Skills are dangerous when they combine: access to private data (SSH keys, API credentials, wallet files), exposure to untrusted content (skill instructions, memory files, email), and ability to communicate externally (network egress, webhook calls)—conditions met by most production agent deployments.
- The project includes a security assessment checklist, risk assessment tool, skill scanner integration guide, incident response playbook, and a proposed universal skill format for cross-platform security.
Why It Matters
While significant attention has been given to securing LLMs and MCP tools, agent skills represent the behavior layer that translates AI capabilities into real-world actions. Skills define how agents orchestrate multi-step workflows, making them a critical attack surface. The AST10 framework is the first to systematically catalog these risks with platform-specific guidance, filling a gap between generic LLM security and the practical reality of deployed agent ecosystems under active attack as of Q1 2026.
What to Do
- Assess current posture using the AST10 security assessment checklist to identify gaps in your skill ecosystem.
- Implement cryptographic signing for skills to prevent tampering and ensure provenance verification.
- Apply least-privilege manifests: skills should declare minimum required permissions and runtime enforcement should prevent privilege escalation.
- Pin skill dependencies with hash verification to prevent update drift and supply chain compromise.
- Deploy multi-tool scanning pipelines combining static analysis, behavioral scanning, and semantic analysis to detect malicious patterns.
- Maintain skill inventories with audit logging to track which skills are deployed, their versions, and their access patterns.