If this can be exploited via a skill, then it can be exploited via untrusted input inserted into context. Does Cowork help with reading email?

i think people are probably already doing it. i made a skill scanner but it's also just easy to download a zip and inspect the contents... but people are loading these things remotely. i agree that it is easy to not install a pentester's magic skill, but the attack capabilities a skill can have are pretty insane. people should just make their own is my pov.

Only if it has access to exfiltrate data. We deny by default and the company has to allowlist each individual destination.

I wonder if via-skill could become a software distribution channel. A bit like what has happened with LLM wiki

Its actually even worse — its advertising for their product

> nor do I think it should be considered a prompt injection at all

Can we stop the apologetic framing? It's increasingly common to create exploits from multiple vulnerabilities. Each one is bad. Downloading corporate malware is stupid. Adding random prompt injection is reckless. Insane to run autonomous agents on top of it.

Prompt injection is more serious in this regard, because there is no known solid protection. All the other problems are failure in process, prompt injection is failure at the first thought.

Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.

Thankfully inserting malicious skills is not something that can easily be done, you need to a lot of things wrong and the attacker to do a lot of things right in order for it to be exploited.

ai skill is not just a plugin. given the right model, supposedly, it can do much more. since everyones harness tends to be tied to the model, it has a whole tool set to use.

It's yet another surface for dependency attacks