What is the OWASP Agentic Skills Top 10 (AST01–AST10)?

What "agentic skills" are — and why they need their own Top 10

A skill is a reusable, named behavior package an agent loads to acquire a capability: a SKILL.md (often with YAML/JSON frontmatter) or skill.json bundle that ships instructions, workflow logic, declared permissions, and sometimes helper scripts. They are the units traded in skill registries (ClawHub and similar) and consumed by hosts like OpenClaw, Claude Code, Cursor, and VS Code.

The OWASP Agentic Skills Top 10 (AST10) is a distinct OWASP project — separate from both the LLM Top 10 and the Agentic AI Top 10 — that catalogs the ten most critical security risks of these skill packages. It is led by Ken Huang with co-leads Akram Sheriff, Aonan Guan, Bhavya Gupta, Fabio Cerullo, Hammad Atta, and Iftach Orr, was conceived at the OWASP Project Summit in Oslo, and is licensed CC BY-SA 4.0. Each risk is grounded in real Q1‑2026 incident evidence (ClawHub poisoning, Snyk audits, Check Point CVEs, SecurityScorecard/Bitdefender telemetry).

• Status note: the document body labels itself "v1.0 (2026 Edition)," but the OWASP project metadata reports version 0.0.0 and the project is an Incubator / Candidate. Treat it as a pre‑1.0 Incubator draft, not a finalized standard.

The layered model: where skills sit

Skills occupy the behavior/workflow layer, distinct from the model and the tools beneath them:

• LLM / agentic reasoning (bottom): the foundation model that plans and decides.
• Skills (middle): named behavior packages that shape *how* the agent reasons and acts — the workflows, instructions, and declared permissions it loads.
• MCP tools (the action surface): the external tools, APIs, file systems, shells, and data sources the agent actually invokes.

A skill is more dangerous than a single tool call because it is reusable, distributable, and trusted: it carries plain-language instructions the model follows, it sits *above* the tool layer (so it can orchestrate many tools), and it is shared across hosts. A poisoned skill therefore amplifies into every session and every downstream MCP tool it can reach.

• Mapping convention (important): the canonical project maps each AST risk to (a) the OWASP LLM Top 10 and (b) a MAESTRO layer (CSA's 7‑layer agentic model). It does not assign "ASI0X" Agentic‑AI‑Top‑10 codes per item — any such code below is an *analogy*, not a canonical mapping.

AST01 — Malicious Skills

Skills that are intentionally malicious — injected into registries or published under impersonated identities — to steal credentials, exfiltrate data, or compromise the host. The ClawHavoc campaign deployed roughly 1,184 malicious skills across ClawHub (Jan–Feb 2026), targeting exchange API keys, wallet private keys, SSH keys, and browser passwords. Snyk's ToxicSkills audit scanned 3,984 skills and found 1,467 (36.82%) flawed, 534 (13.4%) critical, and 76+ confirmed live payloads. Severity: Critical.

• Key mitigation: cryptographically sign skills (e.g. ed25519) and require behavioral scanning at publish time — not just signature matching — with Merkle‑root bundle verification.
• Maps to: LLM03 Supply Chain. MAESTRO: L7 Agent Ecosystem / L3 Agent Frameworks. *(Analogous to ASI04 Agentic Supply Chain.)*

AST02 — Supply Chain Compromise

Attackers compromise upstream dependencies, the registry, or developer accounts to inject malicious code into otherwise-legitimate skills. Check Point disclosed CVE‑2025‑59536 (CVSS 8.7) enabling silent RCE via repository configuration files in Claude Code projects, and CVE‑2026‑21852 (CVSS 5.3), a Medium‑severity API‑exfiltration issue — not an RCE. Severity: Critical.

• Key mitigation: pin dependencies to immutable hashes (not version ranges), keep registry transparency/provenance logs, and harden developer accounts (MFA, protected signing keys).
• Maps to: LLM03 Supply Chain. MAESTRO: L3 Agent Frameworks / L7 Agent Ecosystem.

AST03 — Over-Privileged Skills

Skills request far more permission than the task needs — broad file access, shell, network, identity-file writes — amplifying blast radius and enabling lateral movement and data theft. Snyk's "Leaky Skills" audit (Feb 5 2026) found 280+ skills openly leaking API keys and PII through over-permissioned file/network access. Severity: High.

• Key mitigation: least-privilege manifests with explicit path/host allowlists, schema-validated permission requests, runtime enforcement of declared scope, and a hard deny on writes to agent identity files (SOUL.md, MEMORY.md, AGENTS.md).
• Maps to: LLM06 Excessive Agency. MAESTRO: L4 Deployment & Infrastructure. *(Analogous to ASI03 Identity & Privilege Abuse.)*

AST04 — Insecure Metadata

Misleading, missing, or unverifiable metadata (author, declared permissions, risk level) hides a skill's true scope and enables typosquatting, brand impersonation, and social engineering. ClawHub hosted skills impersonating legitimate vendors (e.g. fake "Google" skills) to exploit brand trust. Severity: High.

• Key mitigation: anchor author identity (e.g. decentralized identifiers), enforce honest risk-tier declarations, and run typosquat / impersonation detection plus manifest linting at the registry.
• Maps to: LLM03 Supply Chain. MAESTRO: L7 Agent Ecosystem. *(Analogous to ASI09 Human‑Agent Trust Exploitation.)*

AST05 — Unsafe Deserialization

Skills load untrusted YAML/JSON config (e.g. SKILL.md frontmatter) with dangerous tags or unsafe parser settings, allowing code injection at parse time — before the skill's logic even runs. (The project lead's blog informally labels this slot "Prompt Injection"; the canonical OWASP project page and README title it "Unsafe Deserialization," used here.) Severity: High.

• Key mitigation: use safe parsers with dangerous tags disabled, validate against a schema before loading, deserialize in a sandbox, and enforce strict types on parsed fields.
• Maps to: classic A08 Insecure Deserialization adapted to the skill layer. MAESTRO: L3 Agent Frameworks. *(Relates to ASI05 Unexpected Code Execution.)*

AST06 — Weak Isolation

Skills run inside the agent host process or with unrestricted filesystem/shell access instead of a sandbox, so a compromised skill can escalate privilege and move laterally. SecurityScorecard found 135,000+ OpenClaw instances publicly exposed with no container isolation, of which 53,000+ correlated with prior breaches. Severity: High.

• Key mitigation: container/Docker sandboxing by default, process isolation with host-mode as an explicit opt-in, filesystem/network namespace restrictions, and syscall/resource limits.
• Maps to: LLM06 Excessive Agency. MAESTRO: L4 Deployment & Infrastructure. *(Analogous to ASI05 Unexpected Code Execution.)*

AST07 — Update Drift

Skills or their dependencies lag on security patches, leaving known-vulnerable versions in use; attackers exploit published CVEs faster than orgs update. CVE‑2026‑28363 ("ClawJacked," CVSS 9.9) enabled WebSocket brute-force hijacking of local OpenClaw instances before patches rolled out. Severity: Medium.

• Key mitigation: immutable hash pinning (no open version ranges), automated advisory/patch detection, signature-verified updates, and fast, tested patching infrastructure.
• Maps to: LLM03 Supply Chain (outdated components). MAESTRO: L4 Deployment & Infrastructure.

AST08 — Poor Scanning

Pattern/signature-based scanners miss behavioral and natural-language injection attacks, so malicious skills pass automated checks while encoding exfiltration logic in plain-language instructions. Snyk showed signature scanners miss the large majority of semantic-level attacks. Severity: Medium.

• Key mitigation: a multi-tool pipeline combining static + behavioral + semantic analysis, LLM-assisted intent detection, manual review for high-risk skills, and red-team test suites that validate the scanners themselves.
• Maps to: cross-cutting detection gap that reinforces AST01/AST02. MAESTRO: L5 Evaluation & Observability.

AST09 — No Governance

Organizations lack skill inventories, approval workflows, audit logging, and agentic-identity controls, so skill deployment and usage are invisible to security teams. Bitdefender telemetry showed employees running OpenClaw on corporate machines with zero SOC visibility. Severity: Medium.

• Key mitigation: maintain a skill inventory with approval workflows, agentic identity controls, and structured audit logging of every skill action (file I/O, shell, network, memory writes) feeding SOC visibility.
• Maps to: governance gap across the Agentic AI Top 10. MAESTRO: L6 Security & Compliance (cross-cutting). *(Analogous to ASI03 Identity & Privilege Abuse.)*

AST10 — Cross-Platform Reuse

Malicious skills are ported across OpenClaw, Claude Code, Cursor, and VS Code with format-specific obfuscations, and the absence of standardized security properties prevents comparison or carry-over of scan results across platforms — so each platform re-trusts a skill from scratch. Severity: Medium.

• Key mitigation: a universal skill format standardizing permissions, signatures, and scan status; platform validation of imported skills; and portable provenance that carries scan/trust state across platforms instead of re-trusting.
• Maps to: LLM03 Supply Chain (format-fragmentation evasion). MAESTRO: L7 Agent Ecosystem / L3 Agent Frameworks.

How teams should vet, sign, and sandbox skills

Treat every skill as untrusted third-party code that *also* speaks to your model in natural language. A practical defense-in-depth posture:

• Vet before trust. Run skills through a multi-stage pipeline — static analysis + behavioral execution + semantic/LLM intent detection — not signature matching alone (AST08). Lint manifests, verify author identity, and flag typosquats/impersonation at ingest (AST04). Use canonical audit data as a baseline expectation: roughly a third of skills are flawed and ~13% critical, so a clean signature is not evidence of safety.
• Sign and pin. Require cryptographic signatures (e.g. ed25519) with Merkle‑root bundle verification (AST01), and pin dependencies to immutable hashes rather than version ranges so updates can't silently swap in malicious code (AST02, AST07).
• Constrain with least privilege. Enforce least-privilege manifests with explicit path/host allowlists, validate requested permissions against a schema, and enforce the declared scope at runtime. Deny writes to agent identity files like SOUL.md / MEMORY.md / AGENTS.md (AST03).
• Sandbox by default. Run skills in containers with filesystem and network namespace isolation, syscall/resource limits, and host-process mode only as an explicit, logged opt-in (AST06). Parse all skill config with safe deserializers (dangerous tags off, schema-validated) before any logic executes (AST05).
• Govern and observe. Keep a skill inventory with approval workflows, agentic-identity controls, and structured, tamper-evident audit logging of every file/shell/network/memory action so the SOC has visibility (AST09).
• Standardize portability. Adopt a universal skill format so signatures, permissions, and scan/trust state carry across OpenClaw, Claude Code, Cursor, and VS Code instead of each platform re-trusting blind (AST10).

The throughline: skills are a supply-chain and excessive-agency problem wearing a natural-language disguise. Sign provenance, pin versions, scan behavior (not just patterns), sandbox execution, and govern the inventory — and do it at the registry, the host, and the runtime, because a single trusted-but-poisoned skill reaches every session and every MCP tool beneath it.

Sources: OWASP Agentic Skills Top 10 project page and README (github.com/OWASP/www-project-agentic-skills-top-10); OWASP Top 10 for Agentic Applications 2026 (genai.owasp.org); kenhuangus.substack.com "From Oslo to Action."