OWASP Agentic Skills Top 10 Alignment
Every skill on skills-hub.ai is scanned against 49 vulnerability patterns that cover 5 of 10 OWASP AST categories with full coverage and 3 more with partial coverage. The two runtime-only categories (logging suppression, denial of service) cannot be detected by static analysis — we document this limitation rather than hiding it.
5
Full coverage
3
Partial coverage
2
Runtime only (N/A)
49+
Total patterns
What is the OWASP Agentic Skills Top 10?
The OWASP Agentic Skills Top 10 (AST) is a security framework documenting the ten most critical risk categories for AI agent skills — SKILL.md files and similar instruction sets that extend the behaviour of AI coding assistants. It was published in response to a wave of supply-chain attacks, including ClawHavoc (February 2026), where 341 malicious skills were distributed through a competitor registry, five of them ranking in the top seven most-downloaded skills at peak infection. Snyk's independent ToxicSkills audit found 36% of public skills across four registries contain prompt injection vulnerabilities.
skills-hub.ai's 49-pattern static scanner was built to address exactly these risks. Below is our documented mapping to each AST category.
AST01–AST10, pattern by pattern
Malicious Skill Injection
Skills embedding malware, unauthorized file-system access, shell execution, or container escape. This is the attack class behind the ClawHavoc incident (341 malicious skills found in a competitor registry).
Prompt Injection via Skill
Skill body contains instructions designed to override the agent's system prompt, hijack its goals, or plant persistent directives that affect future conversations.
Excessive Agency
Skill claims or grants permissions beyond its stated scope — privilege escalation, unrestricted tool access, or self-modification of agent capabilities.
Sensitive Data Disclosure
Skill exfiltrates user data, leaks credentials, or transmits sensitive information to external endpoints without user consent. Snyk's ToxicSkills audit found 13.4% of skills had at least one critical-level issue in this category.
Supply Chain Vulnerabilities
Skill depends on external resources (URLs, packages) that could be compromised or typosquatted, enabling a dependency-chain attack on the agent.
Insecure Configuration
Skill modifies security-relevant settings, disables safeguards, injects SQL without sanitization, or configures the agent in ways that weaken its security posture.
Integrity Failures
Unsigned or obfuscated skill content that cannot be verified against a known-good state. skills-hub.ai addresses this with content-SHA tracking and Cosign SLSA provenance (signing in progress).
Logging Suppression
Skill silences or circumvents agent logging and monitoring. This is a runtime behaviour — not detectable via static analysis of the skill file. We flag it as N/A with a documented limitation.
Not detectable via static analysis — runtime monitoring required.
Denial of Service
Skill causes the agent to hang, loop indefinitely, or exhaust compute or memory resources. Like AST08, this is a runtime risk that static analysis cannot fully prevent.
Not detectable via static analysis — runtime monitoring required.
Composition Risks
Unsafe skill composition — a chain of individually trusted skills that together produce malicious behaviour. We detect suspicious composition patterns in the supply-chain category.
Common questions
Does OWASP AST alignment mean every skill is safe?
No. Our scanner catches known attack patterns via static analysis. A sophisticated adversary could craft a skill that evades all current patterns. We add patterns conservatively — every new one must pass a true-negative test against the full catalog before shipping — and we re-grade the entire catalog when the pattern set changes. Treat the A–F grade as a strong signal, not a guarantee.
Why are AST08 and AST09 listed as N/A?
Logging Suppression (AST08) and Denial of Service (AST09) are runtime behaviours. A skill file that causes an agent to hang or suppress its own logs looks syntactically valid — static analysis of the SKILL.md cannot detect it. Mitigating these risks requires runtime telemetry and sandboxed execution, which are outside the scope of a marketplace scanner. We document the limitation rather than claiming coverage we don't have.
How do I report a false negative?
If you discover a published skill that should have been flagged, email [email protected] with the skill slug and a description of the pattern you believe it matches. We review all reports and, if the pattern is novel, add it to the catalog and re-grade all skills.
Browse 4,400+ skills — every one scanned.
Every skill in our catalog has been scanned against all 49 patterns and received an A–F security grade. The full scanner methodology, pattern descriptions, and severity deductions are published at /security.