I've been spending time looking through "skills" for LLMs, and I feel like I'm the only one panicking. Nobody else seems to care.
Agent skills are supposed to be a way to teach your LLM how to handle specific tasks. For example, if you have a particular method for adding tasks to your calendar, you write a skill file with step-by-step instructions on how to retrieve a task from an email and export it. Once the agent reads the file, it knows exactly what to do, rather than guessing.
This can be incredibly useful. But when people download and share skills from the internet, it becomes a massive attack vector. Whether it's a repository or a marketplace, there is ample room for attackers to introduce malicious instructions that users never bother to vet. It is happening.
We are effectively back to the era of downloading .exe files from the internet and running them without a second thought.
Congratulations are in order! While you were busy admiring how nicely this skill formats your bullet points, it quietly rummaged through your digital life, uploaded your browser history to a pastebin, and ordered fifteen pounds of unscented kitty litter to your workplace. You thought you were downloading a productivity tool, but you actually just installed a digital intern with a criminal record and a vendetta.
It turns out, treating a text file like a harmless puppy was a mistake. You saw "Markdown" and assumed safety, but you forgot that to an LLM, these words are absolute law. While you were vetting the font choice, the skill was busy sending your crypto keys to a generous prince in a faraway land. You didn't just automate your workflow; you automated your own downfall.
So, sit back, relax, and watch as your calendar deletes your meetings and replaces them with "Time to Reflect on My Mistakes." You have officially been pawned. Next time, maybe read the instructions before you let the AI run your life.