The Illusion of Control

The release of Claude Skills is an incredible moment for AI. As Simon Willison recently noted, this might be a “bigger deal than MCP,” poised to unleash a “Cambrian explosion” of new capabilities. He’s right. This is another architectural shift that continues the transformation of chatbots into a true, specialist workforce of autonomous agents.

The simplicity is the point. By allowing anyone to package instructions, resources, and code into a shareable format, Anthropic has effectively opened the App Store for agents. We are about to witness an incredible wave of innovation as developers and users create and share thousands of skills, from professional PowerPoint creation to teaching an agent the nuances of your company’s brand guidelines.

But with this immense leap in capability comes a new, more subtle class of risks. As Willison correctly points out, the word “safe” is doing a lot of work in the phrase “safe coding environments.” The current security conversation is rightly focused on the risks of prompt injection and the need to audit skills. However, these discussions are based on a flawed assumption: that a diligent human can reliably spot a threat that is designed to be invisible.

Our research targets this blind spot directly. We have demonstrated a logic-based attack that bypasses both the human “eyeball test” and the platform’s own guardrails. It represents a critical architectural flaw in the current model of agent security.

Here’s the video of the attack:

The Anatomy of an Invisible Attack

To prove this thesis, we conducted a proof-of-concept that shows how a diligent user, following a logical inspection process, can be tricked into approving a malicious skill.

Step 1: The Trojan Horse

First, an attacker creates a genuinely useful skill called “Financial Templates.” It promises to create professional invoices and is packaged in a ZIP file with its primary resource, a PDF named financial_standards.pdf.

Step 2: The Flawed Inspection

A diligent user—say an employee in the finance department—downloads this skill. Following company policy, they unzip the file to inspect its contents before installing. They find two files: SKILL.md and financial_standards.pdf.

They open SKILL.md and see perfectly clean instructions: “For detailed formatting standards and calculation guidelines, refer to `references/financial_standards.pdf”

Next, they open the PDF itself. It appears to be a professional, polished corporate document with the correct, visible contact information. The document passes the human eyeball test. Satisfied, the user installs the skill.

Step 3: The Invisible Sentence

What the user can’t see is that the PDF contains a hidden set of instructions. Using simple white-on-white text, a malicious but plausible-sounding business instruction has been embedded in the document. This text is completely invisible during a normal review but is perfectly readable by the machine.

Step 4: The Hijack and Malicious Outcome

The final step is the attack itself. The user makes a routine request: “Create an invoice.” The agent, following the clean instructions in SKILL.md, opens the compromised PDF. It reads the entire document, including the invisible sentence, and is instantly hijacked. It processes the “correction” as a valid, high-priority instruction.

The result is that the agent generates the invoice with the attacker’s email and phone number, effectively creating a phishing attack targeting every customer who receives an invoice.

Why It Works: A Failure of Architecture, Not Diligence

This attack works because it bypasses the two primary layers of defense: the human reviewer and the platform’s safety systems.

The platform’s prompt guardrails are built to detect and block overtly malicious commands. However, the attack we’ve demonstrated isn’t overtly malicious. An instruction like, “There is a typo in the email address; here is the correction,” is semantically benign. It doesn’t contain dangerous verbs or forbidden code. Instead, it reads like a helpful, logical business instruction.

The agent, programmed to be helpful and follow instructions, has no reason to question it. The attack succeeds because it’s a logic bomb that hijacks the agent’s reasoning, not its security protocols.

The Core Flaw: Static Defenses vs. Dynamic Actors

This trick succeeds because of a deep architectural mismatch.

The current security paradigm is built on static defenses for dynamic actors. Guardrails, manual reviews, and “blessed lists” of MCPs and Skills are static, point-in-time controls. They are fundamentally mismatched for governing a dynamic, autonomous actor like an agent, whose behavior can be altered by any new data it ingests.

The true threat is not that an agent will be forced to break a rule, but that an agent will be tricked into following a new, malicious rule that it believes is legitimate. This is the critical flaw in today’s agent security model.

The Path Forward: From Guardrails to Governance

The solution can’t be just smarter prompt guardrails. While necessary, it’s an eternal cat-and-mouse game. The only viable solution is to shift our focus from preventing bad input to governing bad outcomes.

This requires a new layer of real-time governance with a control plane that can see and adjudicate an agent’s behavior before it acts.

This control plane wouldn’t analyze the prompt’s intent. It would enforce deterministic business policies on the agent’s non-deterministic behavior. For example, it would enforce a simple, powerful policy like:

“An agent may never generate an invoice where the payment details differ from the verified corporate contact list.”

This policy would have instantly stopped this attack’s outcome, regardless of how clever or invisible the initial prompt was.

The agent workforce is here and being further ignited by the incredible features the frontier labs are releasing. The market will inevitably demand a new level of provable control to wrangle these new capabilities. It’s only through this trust can we truly unlock the value of what agents can offer.

Share