Skip to main content

Audit every skill
your AI Agents run.

One command scans every skill your agent has installed — vulnerabilities, supply chain risks, policy violations. skill.md

agentsec — ~/.openclaw

The 10 Agent Security Commandments

OWASP Agentic Skills Top 10 — research by the OWASP Foundation.

  • AST-01Malicious Skills

    What it is: Skills that look legitimate but ship hidden payloads — credential stealers, backdoors, or prose-level prompt injection.

    Why it matters: Skills run with the agent's full permissions, so one bad install can leak keys, SSH, wallets, and shell access.

    Read more: OWASP AST-01

  • AST-02Supply Chain Compromise

    What it is: Skill registries lack the provenance controls mature package ecosystems take for granted.

    Why it matters: Publishing barriers are minimal and a single compromised dependency inherits the agent's entire credential set.

    Read more: OWASP AST-02

  • AST-03Over-Privileged Skills

    What it is: Skills that request far more permissions than their task actually needs.

    Why it matters: Research shows roughly 90% of agent skills are over-permissioned — every extra scope widens the blast radius.

    Read more: OWASP AST-03

  • AST-04Insecure Metadata

    What it is: Hidden capabilities that don't match a skill's public description or declared manifest.

    Why it matters: Reviewers can't consent to risks they can't see; brand impersonation rides in on the same vector.

    Read more: OWASP AST-04

  • AST-05Unsafe Deserialization

    What it is: YAML, JSON, and markdown parsed by skill loaders without sandboxing.

    Why it matters: Attackers can ship executable payloads that trigger on skill load, before any user action.

    Read more: OWASP AST-05

  • AST-06Weak Isolation

    What it is: Skills executing without effective containment between the skill and the host agent.

    Why it matters: Sandbox escapes turn a single exploited skill into full host compromise.

    Read more: OWASP AST-06

  • AST-07Update Drift

    What it is: Skills that silently change after they were approved and reviewed.

    Why it matters: Reviews go stale the moment the upstream skill ships a new version; signed audits don't survive drift.

    Read more: OWASP AST-07

  • AST-08Poor Scanning

    What it is: Traditional scanners that miss AI-specific attack patterns buried in prose and metadata.

    Why it matters: Malicious instructions hide in plain English; matching on code alone leaves the prose layer untouched.

    Read more: OWASP AST-08

  • AST-09Insufficient Governance

    What it is: Organizations running agents with no inventory of which skills are installed where.

    Why it matters: You can't audit, patch, or revoke what you can't see; incidents become forensic archaeology.

    Read more: OWASP AST-09

  • AST-10Cross-Platform Reuse

    What it is: Skills that are safe on one platform but dangerous when reused on another.

    Why it matters: Permission models differ across OpenClaw, Claude Code, and Cursor — the same skill is not the same risk.

    Read more: OWASP AST-10