File writes, email sends, API posts, code execution, calendar mutations — any skill that can take irreversible action on behalf of the user. A single prompt injection can trigger cascading write operations at machine speed with no human in the loop.

Adversarial instructions embedded directly inside the skill definition — in the system prompt, tool descriptions, or SKILL.md — execute with full agent trust the moment the skill loads. Unlike fetched-content injection, there is no external fetch to intercept: the payload is the skill itself.

Skills touch applications where you are already authenticated — Gmail, Slack, GitHub, cloud storage — and inherit that access without initiating their own OAuth flow. The skill assumes your existing sessions; it does not ask for new credentials. Everything your identity can reach, the skill can reach.

Skills that read sensitive data — emails, documents, databases — and can reach external endpoints create exfiltration chains that move undetected through normal application behavior. Traditional DLP won't catch model-directed data movement.

Multi-step agentic workflows where one compromised tool call cascades into downstream write actions. Blast radius grows with each link. Every tool-to-tool trust boundary requires explicit review.

Skills that fetch or process external content — web pages, documents, GitHub issues, emails — expose an injection surface. Adversarial instructions in fetched content can hijack agent behavior mid-task.

Skills with access to calendars, contacts, HR systems, or internal docs may surface PII far beyond what the task requires. Insufficient scoping violates GDPR, HIPAA, and internal data policies.