claude-code security ai skills

Friends Don't Let Friends Install Skills: The Security Risk of Claude Code's Skill System

Stefan Loesch|
Friends Don't Let Friends Install Skills: The Security Risk of Claude Code's Skill System
(image credit: Gemini)

I've been using Claude Code a lot. I love it, and I keep trying to improve the way I am using it. But I am using it on my personal computer, and so I am rather mindful about security implications. Skills are all the rage — everyone is excited about them, and do sound great in theory. But in practice, the way they are currently implemented in Claude Code is a nightmare from a security perspective.

So what are skills? Skills are Claude Code's community extension system — you install one and Claude gains new capabilities: specialized workflows, domain knowledge, custom tools. Sounds great — but there is a catch. Because here's what happens when you install a skill:

Skills can declare allowed-tools in their front matter. Those tools, executable code, then run silently, no questions asked. You'll see them scroll past in the transcript if you're watching, but at this time it is too late. You don't see this list at install time either. There is no moment where the system says: "This skill wants to run bash commands, read your files, and make network requests. Proceed?"

It gets worse. Skills can embed shell blocks that execute before Claude even processes the skill content. These run with your full user permissions. Silently. There is no approval dialog. So code can run the moment a skill loads, before you've interacted with it at all.

And the worst part: once a skill is installed, Claude can choose to invoke it on its own. There is no confirmation. No approval like for any other tool like "Do you really want to change directory and then run git?" ("YES I DO FGS. I TOLD YOU HUNDRED TIMES ALREADY"). The model decides a skill is relevant and the code runs. If it malicious code, you are pwned. No chance to stop it, no moment of informed consent, no trust boundary.

So long story short — at the moment I am not comfortable installing skills from anyone but Claude themselves. And even then, I avoid it.

Friends don't let friends install skills!

Update: We have built aigonskills — an MCP server that lets your LLM search and execute 15,000+ skills safely, without installing them.

← Back to Blog