Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.