About Research Work With Me AI News Contact
AI Security

Malicious Claude Skills Can Steal API Keys and Credentials

Installing a skill from someone you do not know is the same decision as running a stranger's code. Here is how the attack works, and four checks that stop it.

Three phones showing a Skills list, the Claude app, and a warning asking whether to allow a skill to run shell commands
Skills give AI agents new capabilities, and new access. Photo Illustration

Skills are, in the friendliest possible framing, apps for your AI. You drop one in and Claude instantly learns a brand new ability, from formatting slide decks to scraping a website to writing SQL. That is exactly why they are spreading so fast, and exactly why they deserve a second look.

Under the hood, a skill is at its core a folder of instructions and scripts that you hand to an AI agent with access to your machine. Installing one from an author you do not know is the same decision as running a stranger's code. Most people are making that decision several times a week without reading a single file inside.

The reason that matters is simple: your agent already knows where your secrets live. It can open files, run commands, and reach the network on your behalf. A skill does not sit off to the side as a harmless reference document. The moment you install it, its instructions become part of what your agent is willing to do.

How a malicious skill actually steals credentials

This is not a hypothetical risk. Security researchers at Check Point have already demonstrated that Claude Code could be hijacked through the configuration files inside a project: hooks that run shell commands automatically, and MCP server entries that execute before any warning appears. Simply opening an untrusted project was enough to expose API keys and hand over control of a developer's machine.

Anthropic patched those specific flaws, but the lesson stands. Files you pull onto your machine become part of the execution layer, and the risk does not depend on a bug being present.

A malicious skill does not need to go that far. It does not need to exploit a vulnerability at all. It can simply include instructions the agent will follow: read the contents of a .env file, summarize your credentials into an innocuous looking log, or quietly send data to an external endpoint the next time the agent has network access. Each of those steps is an ordinary thing an agent is designed to do.

A skill is not a document you read. It is code you run.

Dr. Erin Jacques

The agent is not misbehaving when it leaks your keys. It is doing exactly what the skill told it to do. That framing also explains why popularity is not protection. A skill with thousands of downloads can still carry one buried instruction that no one bothered to read, because the whole appeal of skills is that you are not supposed to have to read them. Convenience is the attack surface.

Four checks before you install a skill

None of this requires you to become a security engineer. It requires four habits, and each one takes only a few minutes.

  1. Read every file in the skill. Skills are small. If you cannot read it in five minutes, that is a reason for suspicion, not a reason to skip the review. Look especially for instructions that mention environment variables, credentials, or network requests.
  2. Check for scripts and hooks. Anything executable, including shell scripts, hook definitions, and MCP configuration, deserves a line by line read. Instructions can only ask the agent to act. Scripts act on their own.
  3. Verify the author. A skill from an official repository or a developer with a public track record is a different risk than a zip file from a viral post. Popularity is not verification.
  4. Keep secrets out of reach. Do not keep production API keys, password files, or credential stores in directories your agent can read. The best time to limit the blast radius is before anything goes wrong.

None of this means skills are dangerous by default. It means they are software, and the habits that took the software industry decades to learn about dependencies now apply to the instructions we hand our agents. Read before you install, verify the author, and keep your secrets out of any folder your agent can reach.

Dr. Erin Jacques

Dr. Erin Jacques is a professor of informatics at the City University of New York and the founder of Leveraging AI and ChatifyIT. She helps people build the skills they need to monetize the new AI economy.