ConceptAgent infrastructure

Agent Skill Security

Agent skill security is the practice of treating reusable agent instructions, hooks, subagents, MCP servers, plugins, and tool bundles as executable or semi-executable supply-chain inputs that need review, scoping, version control, and least-privilege permissions.

Why it matters

Agent skills make AI workflows reusable, but they also create new places for hidden instructions, unsafe shell commands, overbroad tool permissions, prompt injection, and supply-chain compromise. Readers comparing agent harnesses need a security page that explains these risks without treating every reusable prompt as harmless documentation.

Source-backed summary

Anthropic Claude Code docs provide official evidence for hooks, subagents, permission modes, settings, and security boundaries. The hooks reference explicitly warns that hooks execute shell commands and should be reviewed. Broader MCP supply-chain reporting adds current risk evidence around tool adapters and server execution boundaries.

Key points

Reusable agent behavior is part of the software supply chain.
Hooks, MCP tools, and plugin scripts deserve stricter review than plain text guidance.
Least-privilege tool access and project-level scoping reduce blast radius.
Official product safety controls do not remove the user's responsibility to review loaded automation.

What counts as a skill security surface

The risk surface includes any reusable artifact that changes how an agent behaves: skill files, subagent prompts, hook scripts, plugin manifests, MCP server configs, tool adapters, slash commands, project memory, and model-router rules.

Prompt-only skills can redirect behavior or hide unsafe goals.
Hooks and MCP tools can execute commands or reach external systems.
Subagents can inherit tools or run with narrower custom tool scopes depending on configuration.

Why this is a supply-chain problem

Agent skills are often copied between repos, plugins, teams, and chat sessions. Once loaded, they can influence planning, tool selection, code edits, and shell execution. That makes review, provenance, version pinning, and permission scoping as important as prompt quality.

Practical review checklist

Before loading a skill or agent plugin, check what files it can read, what commands it can run, what network services it can call, whether it modifies hooks or settings, whether it asks to skip permissions, and whether it is version-controlled. Treat unknown skills like third-party code.

Related entities

Claude Code

Claude Code documents hooks, subagents, settings, permissions, and security practices.

OpenClaw

Agent framework where gateways, skills, and tools are part of the operational boundary.

Hermes Agent

Personal agent system that illustrates reusable skills, tools, and automation surfaces.

Related concepts

Agent Harness

The broader runtime boundary that must enforce permissions, verification, and review.

Vibe Coding Quality Gap

Why generated work needs review and not just a successful-looking result.

Sources

Source confidence

official-docs

Claude Code hooks reference

Anthropic Docs

official-docs

Claude Code security

Anthropic Docs

official-docs

Claude Code subagents

Anthropic Docs

official-docs

Claude Agent SDK hooks

Claude Code Docs

kol-community

MCP supply-chain risk reporting

ITPro

Agent Skill Security FAQ

Page-level questions for Agent Skill Security.

Are agent skills just prompts?+

Not always. Some skills are plain instructions, but others load hooks, tools, subagents, scripts, MCP servers, or plugin behavior. Once a skill can change tool access or execute commands, it should be reviewed like code.

What should I check before installing an agent skill?+

Check the source, version, file paths, shell commands, MCP servers, network access, permission mode changes, secret handling, and whether the skill asks the agent to bypass review. Prefer project-scoped, version-controlled skills with limited tools.