That kicks the can down by approx 10cm.

Not really: I mean ideally, yes, the model would only follow instructions in skills, but in practice, it won't work.

Because then, the malicious web page or w/e just has skills-formatted instructions to give me your bank account password or w/e.