This page is available as Markdown at /blog/2026-04-14-claude-skills-security-risk/index.md, or request this URL with Accept: text/markdown. Site index: /llms.txt. Sitemap: /sitemap.yaml
claude-code security ai skills

Friends Don't Let Friends Install Skills: The Security Risk of Claude Code's Skill System

Stefan Loesch|
Friends Don't Let Friends Install Skills: The Security Risk of Claude Code's Skill System
(image credit: Gemini)

I've been using Claude Code a lot. I love it, and I keep trying to improve the way I am using it. But I am using it on my personal computer, and so I am rather mindful about security implications. Skills are all the rage — everyone is excited about them, and do sound great in theory. But in practice, the way they are currently implemented in Claude Code is a nightmare from a security perspective.

So what are skills? Skills are Claude Code's community extension system — you install one and Claude gains new capabilities: specialized workflows, domain knowledge, custom tools. Sounds great — but there is a catch. Because here's what happens when you install a skill:

Skills can declare allowed-tools in their front matter. Those tools are still subject to Claude Code's sandbox and your permission settings — so depending on your configuration, some or all of them may require approval before running. But in permissive configurations, they can run without explicit confirmation. You'll see them scroll past in the transcript if you're watching, but you don't see this list at install time. There is no moment where the system says: "This skill wants to run bash commands, read your files, and make network requests. Proceed?"

It gets worse. Skills can embed shell blocks that execute before Claude even processes the skill content. Now, Claude Code does sandbox Bash commands that can modify things — write, delete, install. But according to the documentation, read-only commands like ls, cat, grep, and find run without a permission prompt in every mode. This means a malicious skill could silently read sensitive files — your SSH keys, your .env files, your credentials — and exfiltrate them, all before you've even interacted with the skill.

And the worst part: once a skill is installed, Claude can choose to invoke it on its own. There is no confirmation. No approval like for any other tool like "Do you really want to change directory and then run git?" ("YES I DO FGS. I TOLD YOU HUNDRED TIMES ALREADY"). The model decides a skill is relevant and the code runs. If it malicious code, you are pwned. No chance to stop it, no moment of informed consent, no trust boundary.

So long story short — at the moment I am not comfortable installing skills from anyone but Claude themselves. And even then, I avoid it.

Friends don't let friends install skills!

Update: We have built aigonskills — an MCP server that lets your LLM search and execute 15,000+ skills safely, without installing them.

Update (18 May 2026): We have clarified the section on skill sandboxing within Claude Code. Write and delete operations are sandboxed, but read-only commands run without prompts — see the Claude Code permissions documentation for details.

← Back to Blog