Skill Factory Risk Analysis

Key Takeaways

• Three critical risk categories: skill poisoning, privilege escalation, supply chain attacks
• Cisco demonstrated live data exfiltration via malicious third-party skill
• Governance gap: most enterprises deploy skills without formal review processes
• Mitigation stack: sandboxing + permission scoping + skill provenance verification
• Enterprise procurement should mandate skill audits before production deployment

- 三大关键风险类别：技能投毒、权限提升、供应链攻击 - 思科演示了通过恶意第三方技能进行实时数据窃取 - 治理缺口：大多数企业在部署技能时缺乏正式的审查流程 - 缓解技术栈：沙箱机制 + 权限范围界定 + 技能来源验证 - 企业采购应强制要求在生产环境部署前进行技能审计

Summary

This analysis extends the Skill Factory framework research with a focused examination of security risks in enterprise skill ecosystems. The central threat model identifies three attack vectors: skill poisoning (injecting malicious instructions into SKILL.md files), privilege escalation (a skill requesting broader permissions than declared), and supply chain attacks (compromised skills distributed through legitimate marketplaces).

本分析扩展了 Skill Factory 框架研究，重点考察了企业技能生态系统中的安全风险。核心威胁模型识别了三种攻击向量：技能投毒（向 SKILL.md 文件注入恶意指令）、权限提升（技能请求超出其声明的权限范围）以及供应链攻击（通过合法市场分发受损技能）。

The Cisco red-team demonstration — exfiltrating customer data through a seemingly benign OpenClaw skill — illustrates how the “helpful agent” mental model causes security teams to under-scrutinize skill packages. Unlike traditional software, skills operate with natural-language instructions that bypass conventional code review tooling.

思科红队演示——通过看似良性的 OpenClaw 技能窃取客户数据——揭示了“乐于助人的智能体”思维模型如何导致安全团队对技能包审查不足。与传统软件不同，技能依据自然语言指令运行，从而绕过了常规的代码审查工具。

Recommended mitigations: mandatory sandbox execution for all third-party skills, permission manifest verification at install time, and human-in-the-loop approval for skills requesting access to production data systems.

建议的缓解措施：对所有第三方技能强制执行沙箱，在安装时验证权限清单，并对请求访问生产数据系统的技能实施人工审批。

Relevant Concepts

• Agent Security
• Skills
• Harness
• Skill Lifecycle Management