Millions of people now let AI software write code directly on their computers. A wave of new research shows the little add-ons they download to do it, often grabbed from strangers on the internet, can quietly help themselves to everything on the machine.
Artificial intelligence has moved beyond just a simple chatbot. It’s now software like Claude Code or OpenAI’s Codex that sits on the machine, reads files, runs commands and even writes its own code on a user’s behalf. But the way users are ‘extending’ these tools has caught the attention of security researchers.
Claude Code is made by Anthropic, the US company behind the Claude chatbot. Codex is made by OpenAI, the company behind ChatGPT. Both are “coding agents”: you give one a task in plain English, and it reads your files, writes and edits code, and runs commands on your computer to get the job done.
That is the point of them. It is also where the risk starts. To be useful, these agents need real access to your machine.
What a ‘skill’ is, and where people get them
To avoid repeating themselves, users extend these agents with “skills”.
A small, prewritten bundle of instructions that teaches the agent how to do a particular job, and it can include scripts the agent will run. Anthropic added a skills feature to Claude Code in late 2025 and published the format as an open standard. OpenAI’s Codex adopted the same approach, and a sharing economy grew up around the idea.
Many of these skills are swapped on social media sites like Twitter, but mostly on GitHub, the world’s largest storehouse of open-source code, owned by Microsoft. Anyone can post anything on GitHub. Being there is not a seal of approval. A skill pulled from a stranger’s GitHub page is, put simply, code from someone you do not know that you are about to let run on your computer.
Why an unread skill is a problem
A skill inherits whatever the agent can do. That means it can read and write your files, run commands, and reach the saved passwords, keys and access tokens that sit on most developers’ machines. If you never open the skill and read it, you have no idea what it actually tells the agent to do.
The security firm Mitiga showed how this plays out. Its researchers built a skill that looked like an ordinary “testing” helper. Hidden inside were instructions telling the agent to copy the user’s entire codebase and push it to an account the attacker controlled. It ran silently. The activity logs stayed empty. The on-screen summary looked like a normal test report. The user would have had no reason to suspect a thing.
A separate study by the security company Snyk, scanned 3984 skills shared on two public libraries. It found 534 of them, about one in eight, carried a critical security problem, and confirmed 76 outright malicious ones built to steal credentials, plant backdoors or smuggle data out. Eight were still live and downloadable when Snyk published its findings.
How to stay on the safe side
The first defence costs nothing. It should go without saying, but open any skill you plan to add to your machine and read it before you run it. Always treat code from an unknown source the way you would treat an email attachment from a stranger.
You can also put your AI assistant to work on the problem. Rather than installing a skill you found, show it to the assistant and ask two things: explain, step by step, what this does and what it can reach on my computer; then rebuild the same capability from scratch, with security as the priority. You end up running your own clean version instead of a stranger’s.
Keep in mind though: Asking an AI to “review” a skill is not foolproof, because some booby-trapped skills carry hidden instructions aimed at the AI itself. That is the reason rebuilding the tool from scratch beats trusting the original. You can then throw the unknown code away rather than running it. The researchers’ own advice runs the same way, do not run skills from sources you cannot vouch for, and build up a trusted set of your own.
The bigger warning
The concern is no longer confined to security blogs. On 22 June, the cyber security agencies of the Five Eyes intelligence alliance, Australia, the United States, the United Kingdom, Canada and New Zealand, issued a rare joint statement on AI.
Australia’s signatory was the Australian Signals Directorate’s Cyber Security Centre, alongside the United States’ CISA and NSA and their British, Canadian and New Zealand counterparts.
Their message? Not great. The agencies said AI is “fundamentally transforming both offensive and defensive cyber capabilities”, and warned that cyber risk assumptions “can become outdated in months, not years”. They urged organisations to cut unnecessary access to their systems, patch known weaknesses faster, and tighten the controls over who and what is allowed to reach their networks.
This article does not take into account the investment objectives, financial situation or particular needs of any individual. It does not constitute formal advice. Consider the appropriateness of the information before acting and, where relevant, seek professional advice.