AI Skill Supply Chain Security

# AI Skill Supply Chain Security AI skills, prompts, and agent configurations should be treated exactly like software dependencies. Downloading a random prompt or skill from a registry or GitHub repository and running it is functionally equivalent to running untrusted code. The same supply chain risks that affect npm packages, Docker images, and GitHub Actions apply here. ## Why this matters AI skills and prompts can: - Execute arbitrary tool calls (file reads/writes, shell commands, API calls) - Exfiltrate data through tool use (e.g., a skill that "helpfully" sends your code to an external endpoint) - Modify your files, configurations, or other skills - Inject instructions that persist across conversations ([[Context Poisoning]]) - Escalate privileges through [[AI Agent Harness]] configurations A compromised skill has the same access as the AI agent running it. If your agent can read your codebase and push to git, so can a malicious skill. ## Attack vectors - **Trojan skills**: a skill that looks useful but contains hidden malicious instructions - **Supply chain compromise**: an initially legitimate skill is updated to include malicious behavior (exactly like the npm/PyPI attacks the software world already knows) - **Prompt injection via skills**: a skill that manipulates the agent's behavior in subtle ways (e.g., biasing outputs, leaking information through seemingly normal responses) - **Dependency confusion**: a skill references another skill by name; an attacker publishes a malicious skill with the same name in a public registry - **Stale trust**: a skill you vetted 6 months ago has since been updated with different instructions ## Principles 1. **Skills are code**: audit them before use, just like you'd audit a library 2. **Pin versions**: don't auto-update skills from external sources without review 3. **Least privilege**: skills should only have access to the tools they actually need 4. **Trust but verify**: even skills from trusted sources can be compromised 5. **Review updates**: when a skill updates, review the diff, not just the changelog 6. **Isolation**: run untrusted skills in sandboxed environments where possible 7. **Provenance**: know where your skills come from and who maintains them ## The software dependency parallel | Software | AI Skills | |----------|-----------| | npm install unknown-pkg | Loading a skill from a random GitHub repo | | Dependency with `postinstall` script | Skill with tool-calling instructions | | Typosquatting attacks | Skills with similar names to popular ones | | Malicious package update | Skill update with hidden instruction changes | | Lock files (package-lock.json) | Pinned skill versions (not yet standard) | | Security audits (npm audit) | Skill content review (not yet automated) | ## What's missing today - No standardized skill signing or verification - No automated scanning for malicious skill instructions - No permission scoping (a skill gets whatever permissions the agent has) - No dependency lock files for skills - No CVE-equivalent database for compromised skills/prompts ## References - ## Related - [[NVIDIA SkillSpector]] - [[AI Skill Distribution]] - [[AI Agent Distribution]] - [[Prompt injection]] - [[Context Poisoning]] - [[AI Safety]] - [[AI Guardrails]] - [[AI Agent Harness]] - [[Lethal Trifecta for AI Agents]] - [[AI Agent Skills]] - [[Data Poisoning]] - [[Slopsquatting]] - [[Namesquatting]]