Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
2001zhaozhao 5 hours ago

AKA, if a malicious skill got into your AI agent, you're cooked.

I think this isn't surprising, nor do I think it should be considered a prompt injection at all. An AI skill is akin to a plugin for traditional software - if you install a malicious IDE extension or Outlook plugin, the attacker can also do whatever they want to the PC and exfiltrate whatever data they want to. So this article is a big nothingburger.

mdavidn 4 hours ago | parent | next [-]

If this can be exploited via a skill, then it can be exploited via untrusted input inserted into context. Does Cowork help with reading email?

0gs 5 hours ago | parent | prev | next [-]

i think people are probably already doing it. i made a skill scanner but it's also just easy to download a zip and inspect the contents... but people are loading these things remotely. i agree that it is easy to not install a pentester's magic skill, but the attack capabilities a skill can have are pretty insane. people should just make their own is my pov.

lelandfe 4 hours ago | parent [-]

While debugging in Cursor a couple weeks ago, Opus 4.6 chirped it had discovered that my token, when base64 decoded, had a date that was in the past - perhaps expired?

And it was expired!

And I was happy. And some time passed - and I realized it had read my .env file and performed operations on my API keys.

That these models do all this stuff already makes me assume any skill take over is simply trivial.

bberenberg 4 hours ago | parent | prev | next [-]

Only if it has access to exfiltrate data. We deny by default and the company has to allowlist each individual destination.

degamad an hour ago | parent [-]

> Only if it has access to exfiltrate data.

Or if it has access to a tool call which allows it to exfiltrate data.

In the example identified, the AI agent never accesses the exfiltration URL.

The agent sends an innocuous-looking message to a user via a teams message.

MSTeams previews the link, accessing the exfiltration URL.

nico 5 hours ago | parent | prev | next [-]

I wonder if via-skill could become a software distribution channel. A bit like what has happened with LLM wiki

aabhay 5 hours ago | parent | prev | next [-]

Its actually even worse — its advertising for their product

Yokohiii 3 hours ago | parent | prev | next [-]

> nor do I think it should be considered a prompt injection at all

Can we stop the apologetic framing? It's increasingly common to create exploits from multiple vulnerabilities. Each one is bad. Downloading corporate malware is stupid. Adding random prompt injection is reckless. Insane to run autonomous agents on top of it.

Prompt injection is more serious in this regard, because there is no known solid protection. All the other problems are failure in process, prompt injection is failure at the first thought.

SpicyLemonZest 5 hours ago | parent | prev | next [-]

Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.

AntosTools 4 hours ago | parent [-]

[dead]

ares623 4 hours ago | parent | prev | next [-]

Thankfully inserting malicious skills is not something that can easily be done, you need to a lot of things wrong and the attacker to do a lot of things right in order for it to be exploited.

datadrivenangel 4 hours ago | parent [-]

Basically everyone I know is installing almost random skills collections...

cyanydeez 5 hours ago | parent | prev | next [-]

ai skill is not just a plugin. given the right model, supposedly, it can do much more. since everyones harness tends to be tied to the model, it has a whole tool set to use.

Jabrov 5 hours ago | parent | prev [-]

It's yet another surface for dependency attacks