Researchers at Cato CTRL have demonstrated that the feature, designed to streamline AI workflows, can be easily weaponized to deploy MedusaLocker ransomware without the user’s knowledge.
A new cybersecurity investigation has revealed a critical oversight in Anthropic’s rapidly growing “Claude Skills” ecosystem.
Launched in October 2025, Claude Skills enables users to create and share custom code modules to expand AI capabilities.
The feature has seen explosive adoption, garnering over 17,000 GitHub stars in just two months. However, Cato CTRL warns that the current permission model creates a dangerous “consent gap.”
In a technical breakdown released today, researchers explained that while Claude’s “strict mode” requires users to approve code before execution, this approval provides a false sense of security.
Users typically review the visible layer of the script, but once that initial trust is granted, the Skill gains persistent permissions to access the file system and network.
To prove the vulnerability, Cato CTRL modified Anthropic’s official open-source GIF Creator Skill. They inserted a legitimate-looking helper function called post_save.
To the user, the script appeared to be standard image processing logic. However, in the background, this function was programmed to fetch and execute external payloads silently.
From Productivity to Ransomware
In a controlled environment, the researchers utilized this method to execute a live MedusaLocker ransomware attack.
The weaponized Skill, once approved by the user, successfully downloaded the malware and encrypted files on the host machine. No secondary prompts, logs, or warnings were triggered during the infection process.
“The key issue isn’t that the Skill runs code. It’s that visibility stops at what’s shown,” the Cato CTRL report stated.
“One convincingly packaged malicious Claude Skill, installed and approved once by a single employee, could trigger a multimillion-dollar ransomware incident.”
With IBM’s 2025 data placing the average cost of a data breach at $5.08 million, the financial implications for Anthropic’s 300,000 business customers are severe.
Malicious actors could easily propagate these weaponized Skills through social engineering on public repositories, disguised as productivity tools.
Mitigations
Cato CTRL disclosed the vulnerability to Anthropic on October 30, 2025.
Cato CTRL advises enterprises to treat AI Skills with the same caution as executable binaries. Recommendations include running Claude code strictly within isolated sandboxes or virtual machines and monitoring for unexpected outbound network connections.
Anthropic maintains that the system functions as designed, stating, “It is the user’s responsibility to only use and execute trusted Skills,” and noting that users are explicitly warned that Claude may use instructions and files from the Skill.
However, security experts argue that expecting users to audit complex code dependencies is unrealistic.
As the ecosystem grows, the line between helpful automation and malware delivery is blurring, requiring a shift in how enterprises trust AI-generated code.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.