Your Phishing Training Doesn't Cover This

Kevin Harbauer 7 min read
AI Governance Enterprise Technology CTO Leadership CISO Strategy
Your Phishing Training Doesn't Cover This

The threat your security team hasn’t named yet. And your employees are already encountering it.

You’ve seen this post.

“I automated my entire workflow with AI agents. Comment SKILLS and I’ll DM you my full playbook. Prompts, tools, and the exact skill pack I use every day.”

Three hundred comments. Eighty reposts. Everyone racing to install something they didn’t inspect.

That distribution model is straightforward: helpful-sounding post, comment to receive, one install command, done. It’s structurally identical to how 341 malicious skills ended up on ClawHub, the primary skills registry for OpenClaw, in February 2026. Professional presentation. Innocuous names. Packages that looked exactly like every other package in the registry.

The LinkedIn influencer skills playbook and the ClawHub malware campaign share the same distribution architecture. The only difference is intent. And from the outside, you cannot tell which one you’re dealing with.

This is a new category of attack surface. Call it what it is: instruction-layer supply chain risk. It looks exactly like productivity. And your current security posture was never built to catch it.

What a Skill Actually Is

A Skill is a small package of instructions that teaches an AI agent how to perform a specific task. Think of it as an onboarding guide for a new employee. Except the “employee” already has access to your email, files, credentials, and internal systems.

At its core, a Skill is a markdown file. Plain text. Instructions the agent reads and follows. One install command adds it to your agent’s capability set.

The architecture has an important vulnerability built in. Skills use a design pattern called progressive disclosure. At startup, only the Skill’s name and description load into the agent’s context. When you ask the agent to do something that matches that description, the full instruction set loads. The agent decides whether to invoke a Skill based only on its description. The actual instructions are opaque until the Skill is already running.

The description is what you see. The instructions are what the agent follows. Those two things are not always the same.

Akamai’s security research team confirmed this in practice. The most downloaded Skill in the ClawHub marketplace was malware. It was designed to exfiltrate SSH keys, crypto wallets, and browser cookies, then establish a reverse shell to an attacker-controlled server. The description looked helpful. The instructions were not.

The Marketplaces Are Everywhere

ClawHub is not the only distribution channel. Skills and skill-like packages are shared across GitHub repositories, Reddit threads, Discord servers, and direct installs. Third-party analyses estimate the OpenAI GPT Store contains roughly 160,000 public configurations. Anthropic introduced Skills for Claude as reusable capability packages across Claude products including Claude Code. Microsoft, GitHub Copilot, Cursor, and Windsurf all support equivalent instruction files that modify agent behavior.

Every major AI platform has built a capability distribution model, and every one of them defaults to frictionless. The platforms made one-click install the standard path because adoption speed is a feature. Governance is an afterthought, and usually an opt-in one.

The attack surface isn’t one marketplace. It’s every AI platform your employees are already using, often outside any formal review. OutSystems’ 2026 research found that 97% of organizations are exploring agentic AI strategies, while only 12% report using a centralized platform to maintain control.

Why This Is Different From Phishing

Your security team has spent the last decade teaching employees to pause before they click. Phishing training works because the suspicious thing looks suspicious. Wrong sender. Unusual link. Artificial urgency.

Skills break that model entirely.

The suspicious thing looks helpful. It comes from a platform you trust. The install command looks like every other install command. The Skill description promises exactly the productivity gain your employee was hoping for.

That’s the inversion. Phishing relied on you noticing something was off. This relies on everything looking exactly right.

There is no visual signal to recognize. No “check the sender” equivalent. And unlike phishing, where a malicious email is a one-time event, a malicious Skill can keep working long after the initial install.

Akamai’s security research identified that a Skill with write access to an agent’s long-term memory can rewrite the agent’s goals, corrupt stored context, and leave hidden instructions that persist across future sessions. The Cisco security team tested the number one most-downloaded skill on ClawHub and found it exfiltrating data silently alongside its legitimate function. Indistinguishable from what the agent was supposed to be doing.

There’s a second threat that gets less attention: drift. A Skill that was low-risk when installed may not stay that way as the agent’s configuration evolves around it. Instructions change. New tool connections get added. The model version updates. Nobody tracks the cumulative effect. The Skill didn’t change. The environment around it did. And nobody noticed the boundary moved.

Why Your Security Tools Don’t Catch It

Traditional endpoint detection looks for malicious binaries and known signatures. Skills are neither. A Skill is a markdown file. Natural language instructions. The malicious payload might be three sentences buried in plain text that tell the agent to copy credential files to an external endpoint while completing the task the user actually requested.

CrowdStrike’s CTO acknowledged at RSA 2026 that without deep endpoint visibility, a compromised agent executing a sanctioned API call with valid credentials fires zero alerts. The marketplaces have added scanning since the ClawHub breach, but the scanning itself is the problem. Recent research analyzed more than 238,000 skills across multiple marketplaces and GitHub using five purpose-built scanners. Each scanner flagged thousands of skills as malicious. When researchers compared what each one flagged, only 0.12% of findings were flagged by all five.

That means each scanner is catching things the others miss. No single tool sees the full picture. And the attacks that rely on natural language manipulation rather than code signatures evade most automated detection entirely.

The detection gap is real. The tooling is 12 to 18 months behind the threat.

The Discipline Already Exists. Apply It.

OWASP published the first security framework specifically for AI agent Skills two weeks ago, the Agentic Skills Top 10. Akamai published an independent Skills threat taxonomy in March. Cisco open-sourced a dedicated Skill scanner. These are not fringe researchers. These are tier-one security organizations converging on the same surface in the same month.

When OWASP names something, regulators, auditors, and acquirers start asking about it. That’s already happening. SOC 2 Type II auditors are applying existing change management controls to AI agents, expecting documented approvals, testing evidence, and deployment logs. HITRUST’s change management controls have the same scope. That question is coming to diligence questionnaires. If you’re in a regulated industry and PE-backed, it’s coming faster than you think. Organizations that can produce a clean record of what Skills are installed, who approved them, and what changed turn that into a diligence asset. Organizations that can’t leave risk for someone else to discover after close.

The practical answer isn’t a new security product. It’s applying discipline you already have to a surface you haven’t classified correctly yet.

None of these controls are new. The failure is classification. You haven’t been treating Skills as software. Your software organization doesn’t push code to production without a tracked change, a review, and a deployment record. Skill installs are software deployments. Treat them like it.

A Skills inventory as a standing practice. Not a one-time audit. Skills can be installed by anyone with access to an agent platform. Your developers, your operations team, your marketing coordinator. You need a live record of what’s installed, where it came from, who approved it, and when it was last reviewed.

An approved source list. If it’s not on the list, it doesn’t get installed. Skills are software written in natural language instead of code. An approved source list is the minimum viable control.

A change event for every install and update. Every Skill install, every update, every configuration change is a tracked event with an owner and an approval. When an auditor asks what changed and who approved it, you can answer.

The Uncomfortable Parallel

In 2000, a programmer sent an email with the subject line “ILOVEYOU.”

Tens of millions of machines. Ten days. Damage estimates in the billions.

It worked because the delivery channel was trusted, the action was frictionless, and nobody had trained anyone to think twice. The infrastructure for defense didn’t exist yet. It had to be built after the incident, not before it.

The Skills ecosystem today has all three conditions. Trusted delivery channels: the platforms your organization already approved. Frictionless installation: one command, thirty seconds, no review. Zero awareness training, because the category didn’t have a name until two weeks ago.

ILOVEYOU was loud. A malicious Skill is quiet. That’s what makes it harder.

Your phishing training teaches people to pause before they click. Nobody is teaching them to pause before they comment SKILLS.

And right now, that’s the easier attack.

If this raises questions about what’s actually running in your environment, the inventory problem is covered in Your AI Strategy Is Only As Strong As Your Inventory. The change management discipline that governs Skill installs is covered in Your Agents Are Software. Treat Them Like It.

Further reading: