Anthropic’s Claude Agent Skills feature could be misused by threat actors to spread malicious Skills that execute malware, Cato Networks reported Tuesday. Claude Agent Skills are custom code modules that can be used to extend the capabilities of Claude AI agents. To use a Skill, users download a folder containing prompts and files that the Claude agent will invoke when performing the intended Skill.Skills, which were first introduced in October 2025, are often shared amongst Claude users online through social media and repositories like GitHub and are designed to improve automation workflows.Cato Networks’ blog post outlines the risk posed when users install a Skill that has been laced with malware, including ransomware.“When executed, a Skill’s code runs with access to the local environment, including filesystem and network, effectively granting it the privileges of a local process,” the Cato CTRL researchers explained.Users must grant permission for a Skill to be run as well as approve any code Claude generates when running a skill. However, when a Skill’s underlying code has not been fully vetted, users may unknowingly grant permission for a Skill to perform dangerous actions such as retrieve and execute an external script.
To demonstrate the potential risk, Cato CTRL altered an open-source GIF creation Skill provided by Anthropic to add a helper function that appears at first glance to perform legitimate GIF post-processing functions.However, an external script retrieved by the helper function deploys MedusaLocker ransomware on the user’s machine. Cato CTRL demonstrated successful execution of MedusaLocker in a controlled test environment when running the skill, which initially appeared to the user to be performing legitimate GIF creation functions.When asking permission to use the Skill, Claude tells the user “Claude may use instructions, code, or files from this Skill,” followed by a description of the Skill (i.e. “Toolkit for creating animated GIFs optimized for Slack” etc.). The user is also asked for permission to run the subsequent GIF-creating code generated by Claude.Cato CTRL argues that users may grant approval without realizing they are giving permission for the underlying helper function to retrieve and execute an external script.“The concern lies in how far that initial trust extends. Once a Skill is approved, it gains persistent permissions to read/write files, download and execute additional code, and open outbound connections, all without further prompts or visibility,” Cato CTRL wrote.When Cato reported their proof-of-concept to Anthropic, Anthropic responded, saying, “It is the user’s responsibility to only use and execute trusted Skills,” emphasizing that Claude warns users that code and files from the Skill will be used during Skill execution.Due to the potential for attackers to distribute malicious Skills, Cato recommends running Claude inside a sandbox or virtual machine with limited filesystem and network permissions and to treat Skills as any other arbitrary code being downloaded to one’s machine.Users should ensure they only download Skills from trusted sources and monitor Skills for suspicious activity such as unexpected subprocesses creation, file writes or outbound connections, Cato concluded.
AI/ML, Ransomware, Malware, Supply chain, Application security, Exposure management
Claude Agent Skills could be used to deploy malware, researchers say
(Credit: Thaspol – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds