GUIDE 21 March 2026 5 min read

How to Audit Your AI Agent Skills Against the OWASP Agentic Top 10

SkillShield Research Team

Security Research

Published: March 21, 2026 Target: skillshield.dev/blog Slug: how-to-audit-agent-skills-owasp-agentic-top-10 Keywords: audit AI agent skills OWASP, OWASP agentic top 10 tool, AI agent security audit checklist, ASI04 compliance scanner Category: GUIDE The OWASP Top 10 for Agentic Applications is now the standard framework for AI agent security. If you're building with MCP servers, ClawHub skills, or any plugin-based agent architecture, your security team is going to ask how your stack maps to ASI01 through ASI10.

This guide walks through a practical audit of your installed agent skills using the OWASP framework as the checklist, with SkillShield as the scanning layer for the categories it covers.

Before You Start

You need three things:

  1. An inventory of your installed skills. List every MCP server, ClawHub skill, and third-party plugin your agents use. Include the source registry, version, and when it was last updated.
  2. The OWASP Agentic Top 10 as reference. The full framework is at genai.owasp.org.
  3. SkillShield CLI installed. npm install -g skillshield — this handles the supply chain scanning categories.

The Audit: Category by Category

Step 1 — ASI04: Agentic Supply Chain Vulnerabilities (Scan Every Skill)

Start here. ASI04 is the highest-leverage category for a skill audit because it's the one you can check before anything runs.

What to do:

# Scan each skill definition
skillshield scan ./skills/my-skill/SKILL.md

# Or scan an MCP server
# Use the web scanner at skillshield.dev/mcp

What you're looking for:

  • Malicious code patterns or known payload signatures
  • Typosquatted package names (e.g., clawhub vs clawhubb)
  • Dependency risks — unsigned or unverified components
  • Skills that haven't been updated since their initial publish

Pass criteria: Every installed skill has a SkillShield score. Any skill flagged as malicious is removed or quarantined. Any skill with unresolved warnings has a documented risk acceptance.

You can also check skills against the scored directory — 33,746 extensions pre-scanned across six registries.

Step 2 — ASI02: Tool Misuse and Exploitation (Check Permissions)

ASI02 targets skills that can be used in unsafe ways — over-permissioned tools, dangerous parameter patterns, and poisoned tool descriptions.

What to do:

For each skill in your inventory, check:

  1. Permission scope — Does the skill request filesystem access, network access, or shell execution? Is the scope proportional to what the skill actually does? A markdown formatter shouldn't need write access to your home directory.
  2. Tool descriptions — Run skillshield scan and check for prompt injection findings. Tool descriptions containing hidden instructions can redirect agent behavior without touching the skill's code.
  3. Parameter validation — Does the tool schema accept unvalidated file paths, shell commands, or URLs? These are the parameters an attacker or misaligned agent would exploit.

Pass criteria: No skill has permissions broader than its stated function. All prompt injection findings are resolved. Parameter schemas constrain inputs to expected types and ranges.

Step 3 — ASI03: Identity and Privilege Abuse (Check for Secrets)

ASI03 covers credentials embedded in or accessible through skills — API keys, tokens, passwords, and overly broad access grants.

What to do:

# SkillShield detects hard-coded secrets in skill definitions
skillshield scan ./skills/my-skill/SKILL.md

Also check manually:

  • Are any API keys or tokens hard-coded in skill configuration files?
  • Do skills have access to environment variables they don't need?
  • Are credentials being passed between skills without scoping?

Pass criteria: Zero hard-coded secrets in any skill definition. Skills only access the credentials they require for their stated function.

For a deeper dive on this step, see How to Scan MCP Skills for Hard-Coded Secrets.

Step 4 — ASI01: Agent Goal Hijack (Check Tool Descriptions)

ASI01 covers attacks that alter an agent's objectives. The supply chain vector for this is prompt injection in tool descriptions — hidden instructions in SKILL.md files or MCP server definitions.

What to do:

SkillShield's prompt injection testing targets this vector specifically. Review any findings flagged during your Step 1 and Step 2 scans.

Additionally, manually review tool descriptions for:

  • Instructions that reference other tools ("after running this tool, also run...")
  • Data exfiltration commands ("send the output to...")
  • Cross-tool manipulation ("override the previous instruction with...")

Pass criteria: All tool descriptions contain only legitimate documentation. No hidden instructions, no cross-tool references that shouldn't be there.

Step 5 — ASI05: Unexpected Code Execution (Check for Dangerous Patterns)

ASI05 covers skills that generate or run code unsafely — eval, exec, shell invocation, deserialization.

What to do:

SkillShield flags dangerous execution patterns in skill definitions. Review any findings from your scans for:

  • Direct eval() or exec() calls
  • Shell command construction from user input
  • Deserialization of untrusted data
  • Path traversal patterns in file access

Pass criteria: No skill contains unrestricted code execution patterns. Any dynamic code execution is sandboxed and constrained.

Steps 6-10 — Runtime Categories (Document Your Controls)

ASI06 through ASI10 cover runtime concerns that fall outside supply chain scanning:

Category What to document
ASI06 — Memory Poisoning How is your RAG/memory system protected? Is there ingestion filtering? Provenance tracking?
ASI07 — Inter-Agent Communication Are agent-to-agent messages authenticated? Encrypted? Protected against replay?
ASI08 — Cascading Failures Do you have circuit breakers? Rate limits? Isolation boundaries between agents?
ASI09 — Trust Exploitation Are sensitive actions gated by human confirmation? Are risk indicators visible to users?
ASI10 — Rogue Agents Do you have behavioral monitoring? Kill switches? Session boundaries that prevent persistence?

These categories can't be scanned — they require architectural documentation and operational controls. For each one, document what controls are in place, what gaps exist, and what the remediation plan is.

The Audit Output

When you're done, you should have:

  1. A SkillShield scan result for every installed skill — covering ASI01, ASI02, ASI03, ASI04, and ASI05
  2. A findings list — malicious skills removed, permissions tightened, secrets rotated, injection patterns resolved
  3. A runtime controls document — ASI06 through ASI10 coverage, gaps, and remediation plans
  4. A risk register — any accepted risks with documented justification

This is the artifact your security team needs. It maps your agent stack to the OWASP framework, shows what's been scanned, and documents what still needs operational controls.

Get Started

npm install -g skillshield
skillshield scan ./skills/*/SKILL.md

Or browse the scored directory to check skills before installing them. The MCP scanner handles MCP servers specifically — free, instant.

For the full mapping of which ASI categories SkillShield covers and which require other tools, see SkillShield vs. the OWASP Agentic Top 10.

The OWASP Top 10 for Agentic Applications is available at genai.owasp.org.

Catch risky skills before they run.

SkillShield scans skills, MCP servers, and prompt-bearing tool surfaces before they reach production.

Get early access

Share this article

Share on X Share on LinkedIn
Back to all articles