Assessing Skills? We can help.
TL;DR
- We collected 1,046,565 unique Skills across six marketplaces (SkillsMP, Claude Marketplaces, skills.sh, ClawHub, Composio, and LobeHub), deduplicated from about 1.95 million gathered.
- We seeded every Skill with real malicious content from BIPIA, Microsoft's own indirect-prompt-injection benchmark, then ran the security scan from Microsoft Copilot Cowork's built-in Skill Management Skill.
- The scan caught only ~11% of the malicious Skills.
- After one obfuscation, 99.6% of malicious Skills go undetected.
- A Skill should not be the sole security tool used to assess another Skill for malicious behavior.
Seeding a Million Skills with Malicious Content
To measure what Microsoft's Skill security scan actually catches, we collected 1,046,565 unique Skills from six marketplaces and injected into each one an attack from Microsoft's own Indirect Prompt Injection benchmark (BIPIA): 250 attacks in total, split between prose task-hijacks and bundled code payloads.
From the 250-injection corpus, we created ~5,000 attack variants, varying fields such as the attacker URL, IP, and credential file paths targeted.
For each Skill, we tested three versions: the original Skill from the marketplace, a version injected with malicious content, and the injected version with an obfuscation technique applied. Each version was assessed against the security scan from Microsoft Copilot Cowork's built-in Skill for validating other Skills.
Below is a sample of the payloads injected into the Skills:
Background on Microsoft's Security Scan
Microsoft Copilot Cowork ships with a built-in Skill to 'create, validate, and manage' Cowork Skills. Its validation approach has two layers.
- Static analysis via running Python scripts to analyze the Skill
- Performing a behavioral test (testing the Skill in action)
The security scan is part of the static analysis. It parses the prose in a Skill to detect text that includes injection and exfiltration phrasing, then runs (some) code files through an open-source tool to flag known insecure code patterns.
We examine the static security scan, not the separate quality-related scans, or stochastic analysis by the agent running the scan. We focus on the static layer because once the agent proceeds to behavioral testing (actually running a malicious Skill), the harm is likely already done.
Results
Across the corpus, the scan caught only 10.7% of the seeded attacks. After an obfuscation technique (detailed below) was applied, only 0.4% of the malicious Skills were flagged by the security scan.
Note: Before any malicious content was added, 3.8% of Skills were flagged by the scan.
Bypassing the Security Scan
Both layers of the security scan match against specific keywords and code patterns. That makes them defeatable with one change: split the flagged tokens so the pattern no longer matches.
Here are the keywords and phrases the scan targets:
Flagged in bundled code
- urlopen(
- requests.get / post / put / …
- http.client.HTTPSConnection
- socket.create_connection
- ftplib.FTP
- curl / wget / nc + http(s)://
- ~/.ssh id_rsa .aws/credentials
- .netrc os.environ
- ANTHROPIC / OPENAI / AWS … _KEY
- base64 literal over 400 chars
Flagged in SKILL.md prose
- ignore … previous / prior / above instructions
- disregard … previous … instructions / rules
- forget … previous … instructions
- new (system) instructions:
- you are now a / an / in …
- do not tell / inform / alert the user
- without telling / notifying the user
-  <img src="http://…">
Python files are also analyzed using bandit, an open-source static analyzer that flags dangerous imports and calls. Breaking function calls apart or assembling them at runtime keeps bandit's patterns from ever matching, while the code remains functionally unchanged.
Fun fact
Microsoft’s scanner cites PromptArmor research.
“scan of SKILL.md, references/ prose files, and the raw text of bundled code for the attack class behind issue #11495 (PromptArmor): instruction-override phrasing, hidden exfiltration beacons (external image/img URLs that browsers fetch on render)…”
Don't let a Skill be your only defense against malicious Skills.
To show this on a real Skill, we tested Microsoft's scan against one from our own research.
Prior research on malicious Skills:
Unmodified, the scan flags the malicious Skill from our research for network-egress risk:
With its flagged keywords split up, the same Skill passes clean:
Note: Above, the agent runs the scan and sees the 'PASS' security scan result. The agent then chooses to analyze further because the package name includes 'with bypass' - this breadcrumb was provided to clarify the demo and encourage the agent to identify and explain the scan bypass.
Takeaways
Rolling your own 'Skill that scans Skills' is rarely a sufficient approach to detect malicious Skills. Even a sophisticated Skill for analyzing other Skills is fighting an asymmetric battle.
When the scanner itself is a Skill, the validation Skill is usually used in the same app that the Skill being validated is intended to be used with. This means that the agent evaluating a malicious Skill is the exact same agent the malicious Skill was designed to target, making the system prone to failure.
What's more, code in Skills can draw on any techniques seen across all malware (obfuscation, packing, novel patterns) that a hand-rolled validation Skill is unlikely to comprehensively cover. Microsoft's scanner, for example, only performs real code analysis on Python; a payload written in another language, or in a file type it does not cover, is never flagged.
Malicious Skills contain executable instructions at best, and straight-up malware in code files at worst. Untrusted Skills should be treated like untrusted packages: versioned, signed, and run through an approval process that includes a thorough security review before they reach users.
Background on the Baseline
The scan of marketplace Skills flags 3.8% of Skills as malicious. About 80% of those failures are network-egress calls and external-image exfiltration beacons (zero-click data-theft channels).
We also note that of the unaltered marketplace Skills, Skills from ClawHub were much more frequently flagged.
Background: The Marketplaces
We gathered Skills from six marketplaces: SkillsMP, Claude Marketplaces, skills.sh, ClawHub, Composio, and LobeHub. Below is the number of Skills we gathered from each:
In total we gathered about 1.95 million Skills. Deduplicated by content, 1,046,565 were unique. ~46% of Skills were duplicated (published more than once within a marketplace, or multiple times across marketplaces).
Rolling out Skills? Validate every one before it reaches your users.

