Claude Code Skills: What They Are, and How to Install Them Without Getting Burned

Claude skills are one of the most useful things to happen to AI coding tools, and one of the easiest to install carelessly. A skill can turn a general assistant into a specialist in seconds — and, added without thought, it can also read your files, run commands, and move data off your machine. Here is what a skill actually is, the handful of ways they go wrong, and how to use them without getting burned.

What a skill actually is

A skill is a small, packaged set of instructions — a file called SKILL.md, sometimes bundled with scripts and resources — that an AI coding agent loads on demand when a task matches it. It is different from a one-off prompt: a prompt is something you type and forget, while a skill is installed once and then quietly shapes the agent's behaviour every time it is relevant. That is what makes skills powerful, and it is also the root of the risk. A skill does not just suggest text; depending on your setup it can run code, call tools, and act on your computer.

What you're really agreeing to when you install one

Skills are shared through marketplaces and plugins, and installing one usually takes a single approval. That approval is the important moment. You are not just adding a convenient shortcut — you are granting a piece of someone else's instructions the ability to operate inside your environment, with whatever access your agent already has. Researchers call this the single-consent trust model: one click, by one person, can be enough to let a skill do real damage. It is worth slowing down for.

The four ways skills go wrong

1. Prompt injection — the underestimated one. There are two flavours. Direct injection is a malicious instruction written into the skill itself; you can catch it by reading the skill before you approve it. Indirect injection is sneakier: a perfectly legitimate skill processes some untrusted content — a web page it fetches, a file it opens, a GitHub issue, an email — and hidden instructions inside that content hijack the agent. Reviewing the skill does not catch this, because the skill is not the problem; the data it touches is. The danger compounds when an agent can do three things at once: reach private data, read untrusted content, and send information out. Security researchers call that combination the lethal trifecta, and skills routinely wire all three together.

2. Skills that are malicious by design. Some skills are simply traps. In one documented case, researchers built a skill that, once approved, could trigger a ransomware incident; others quietly read environment variables and smuggle secrets out through ordinary-looking channels like commit messages or generated documentation. The instruction-following that makes skills useful is exactly what makes this possible.

3. Trust that collapses after you install. A skill can be safe today and a liability next month. A popular Claude Code productivity tool known as GSD — Get Shit Done — was abandoned by its maintainer in 2026; the project had attached a crypto token that was then drained in a rug-pull, and the original packages stayed live and installable long after anyone was maintaining them. No malicious code was injected — it was an exit, not an attack — but everyone still running it was left depending on unmaintained software. The lesson is to weigh who is behind a skill and why, not just what the code does today.

4. It is more common than it looks. This is not a rare, exotic risk. One 2026 analysis found that more than one in eight agent skills contained a critical security issue — malware, prompt injection, or credential theft. Treating skills as trusted by default is the wrong starting point.

How to stay safe

The defences are simple and they work. Read the SKILL.md before you approve it — if you cannot, treat that as a reason not to. Check who made it: an active maintainer, a real history, and a community that audits the code are worth more than a star count. Prefer pinned versions and audited forks over whatever is newest. Assume that any skill which touches the open internet or untrusted files is a prompt-injection surface, and do not casually combine private-data access, untrusted input, and an outbound channel in the same workflow. If you manage a team, you can switch off a skill's ability to run shell commands entirely in your settings. And keep real secrets out of the environment your agent runs in wherever you can.

What a good skill looks like

Once you know the failure modes, good skills are easy to spot. They do one clear thing rather than everything. Their description is specific about when they apply. They load what they need only when they need it, instead of demanding broad standing access. And they have nothing to hide — no obscured network calls, no reading of credentials, no instructions that only make sense if the author wanted something from you. A skill that is transparent about what it does, and narrow about what it touches, is one you can trust.

Skills make AI coding tools dramatically more capable, and they are worth using. The shift in mindset is small but important: installing one is not like copying a snippet, it is more like hiring a contractor and handing them a key. Read the references, check who you are letting in, and keep the access narrow — and you get the upside without quietly taking on someone else's risk.

Sources: Cato Networks (CTRL); Snyk ToxicSkills; Datadog Security Labs; Reversec; community reporting on the GSD project (2025–2026).