OWASP Agentic Skills Top 10 Coverage
The OWASP Agentic Skills Top 10 is the first security framework specifically for the skill execution layer — the exact threat model SecureSkill was built for. Where the ASI Top 10 covers agent-level behavioral risks, AST10 covers the skills and tools agents actually run.
Malicious Skills
Compromised or intentionally harmful skills that perform unauthorized actions — credential theft, data exfiltration, persistence, or system manipulation.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
This is SecureSkill's core mission. AI semantic analysis examines every file for malicious intent. Pattern matching rules (245+) detect known attack signatures. Credential detection scans for hardcoded secrets. Threat intelligence checks IOCs against live feeds. The Lethal Trifecta engine deterministically flags skills that combine credential access with network egress — the prerequisite for exfiltration.
Supply Chain Compromise
Registry failures, unauthorized modifications, or dependency poisoning that introduces malicious code through the skill distribution chain.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
Threat intelligence checks extracted URLs, domains, and file hashes against active threat intelligence feeds. Vulnerability database queries identify known-compromised npm and PyPI packages via CVE cross-referencing. Pattern matching detects remote script execution, post-install hooks, and dependency confusion patterns. Deobfuscation strips Unicode tricks used to hide malicious payloads in supply chain attacks.
Over-Privileged Skills
Skills requesting or exercising permissions far beyond what their stated purpose requires.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
Deterministic permission extraction pulls every network call, file read, file write, env var access, and command execution from executable code with file:line provenance. AI semantic analysis compares the extracted permissions against the skill's declared purpose — a "code formatter" that reads SSH keys and makes network calls is flagged as scope mismatch. AST-level dataflow tracing catches indirect privilege use through variable chains.
Insecure Metadata
Misleading or false skill information — descriptions that don't match behavior, fake publisher identities, or spoofed version counts.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
AI semantic analysis explicitly compares SKILL.md declarations against actual code behavior across every file. The declared purpose is tested against extracted permissions, network calls, and file operations. Publisher handles are derived from URLs (platform-verified), not from file content the skill controls. Scanner evasion detection catches skills that include instructions attempting to manipulate the analysis.
Unsafe Deserialization
Dangerous parsing of skill configuration, input data, or inter-skill messages that could lead to code execution.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
AST analysis detects pickle.load(), eval()-based deserialization, and YAML unsafe_load patterns. Pattern matching rules flag known deserialization attack signatures. AI semantic analysis identifies suspicious data parsing patterns that could lead to code execution.
SecureSkill analyzes skill code pre-installation. Runtime deserialization attacks that occur during skill execution — such as processing untrusted data received after installation — require runtime sandboxing.
Weak Isolation
Inadequate runtime sandboxing that allows skills to access resources, files, or capabilities beyond their declared scope.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
Permission extraction identifies every file path, command, and resource a skill touches — exposing sandbox boundary violations before installation. AI semantic analysis flags skills that access paths outside their own directory, modify system files, or install persistence mechanisms. Pattern matching detects known sandbox escape patterns.
SecureSkill identifies skills that would break sandbox boundaries but cannot enforce isolation at runtime. Containerization and process isolation are platform responsibilities.
Update Drift
Uncontrolled skill updates that change behavior after initial review — a trusted skill quietly becomes malicious through an update.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
Pattern matching detects auto-updater mechanisms: scripts that curl remote code, self-modifying logic, and post-install update hooks. AI semantic analysis flags skills that fetch and execute remote content, modify their own files, or schedule future modifications. Skills that promote content to persistent agent config are flagged as potential update vectors.
SecureSkill scans a point-in-time snapshot. Detecting behavioral drift across versions requires re-scanning after updates and comparing results — a workflow capability, not a single-scan feature.
Poor Scanning
Insufficient threat detection — reliance on single-method analysis, inability to see through obfuscation, or missing coverage for agent-specific attack patterns.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
SecureSkill's multi-layer pipeline is the direct answer to AST-08. No single detection method is sufficient — pattern matching catches known signatures in microseconds, threat intelligence catches known-bad infrastructure, credential detection catches hardcoded secrets, AST-level dataflow tracing maps how data moves through code, vulnerability database lookups catch known-compromised dependencies, shell script analysis catches scripting issues, Unicode deobfuscation strips camouflage, and AI semantic analysis reasons about novel attacks and intent. Cross-layer corroboration links findings across layers for confidence scoring.
No Governance
Missing organizational controls — no skill inventory, no audit trail, no approval workflows for skill installation.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
Every scan produces a structured report with skill profile, permission map, risk score, findings with evidence, and recommendations — the audit data a governance program needs. Permission extraction provides deterministic facts (file:line provenance) suitable for compliance review. Reports are persisted in Firestore with full provenance.
Governance is an organizational capability, not a scanner feature. SecureSkill provides the audit data and risk signals; approval workflows, skill inventories, and policy enforcement are the organization's responsibility.
Cross-Platform Reuse
Security risks when skills designed for one platform are reused on another with different trust models, permission systems, or isolation guarantees.
Attack Categories
Pipeline Layers
How SecureSkill Detects It
SecureSkill detects the platform from file signatures (OpenClaw, Claude, Hermes, Codex, Cursor) and applies platform-specific analysis: scoring calibration, attack category definitions, and prompt sections are all tailored per platform. A skill safe on one platform may be dangerous on another due to different permission models — platform-specific analysis catches these discrepancies.
SecureSkill provides strong coverage across 7 of 10 OWASP AST10 categories, with partial coverage on 2 and indirect coverage on 1. Coverage is strongest on the categories most critical to pre-installation security: malicious skills, supply chain compromise, over-privileged permissions, and obfuscated payloads. Categories requiring runtime enforcement (weak isolation, update drift, governance) are scope limitations of any pre-installation scanner.