AI Newbie | 2026-07-07 | 7 min read
Do not install random AI skills without this security check
AI skills, plugins, and agent instructions can be powerful. They can also carry hidden instructions, risky scripts, and permissions your business never meant to grant.
Direct answer: Before installing an AI skill or plugin, check the source, permissions, scripts, network access, files it can read, instructions it adds, and whether it gets a sandbox first.
Short answer
Do not treat AI skills, plugins, prompts, and agent instruction files like harmless text. Some of them can include scripts, tool calls, hidden instructions, network behavior, or broad access to files.
Before installing one, check who made it, what it can read, what it can run, what instructions it adds, and whether it gets access to customer data, code, credentials, or your local machine.
Why this matters
AI agents are more powerful than chat because they can use tools, inspect files, run commands, browse pages, and remember context. That also means bad instructions can have more impact.
OWASP’s Top 10 for LLM applications includes prompt injection and supply chain vulnerabilities. Those risks map directly to random AI skills, plugins, and instruction files: the agent may follow untrusted instructions or rely on a compromised component.
The practical takeaway is not fear. It is permission discipline.
Sources: OWASP Top 10 for LLM Applications, OWASP: Prompt Injection
The security checklist
Use this before installing a skill, plugin, MCP server, browser extension, prompt pack, or automation.
- Source: who created it, and is the repository or publisher trustworthy?
- Permissions: what files, tools, browser data, accounts, APIs, or folders can it access?
- Scripts: does it run shell commands, install packages, or execute code?
- Network: does it call external URLs or send data outside your machine?
- Instructions: does it add hidden or broad agent behavior you did not ask for?
- Secrets: could it read API keys, credentials, private documents, or customer data?
- Sandbox: can you test it in a throwaway project before using real data?
- Removal: can you uninstall it and see exactly what changed?
Skills are useful when they are scoped
Skills are not bad. They are one of the better ways to make AI consistent when the task repeats.
Anthropic’s public skills repository describes skills as packaged instructions and resources for Claude. OpenAI’s Codex AGENTS.md docs show the same principle for coding agents: give consistent project context. The safe version is specific, inspectable, and narrow.
Sources: Anthropic public skills repository, OpenAI Codex: AGENTS.md
Red flags
- It asks for access to your whole home folder when it only needs one project.
- It tells the agent to ignore other instructions.
- It includes obfuscated code or remote install commands you do not understand.
- It needs API keys unrelated to the task.
- It has no clear owner, documentation, or uninstall path.
- It promises impossible results like guaranteed rankings, undetectable content, or fully autonomous business operations.
The safe install workflow
Create a throwaway folder. Install the skill there first. Read the instruction files. Search for shell commands, network calls, and credential access. Run it on fake data. Only then decide whether it belongs in the real workflow.
For business automation, give agents the least access needed for the task. A writing skill should not need payment data. A design skill should not need customer exports. A lead-follow-up workflow should not need access to every company file.
Reference links
This topic came from TikTok source 36 and is grounded in OWASP agent and LLM security guidance plus official skill/instruction patterns.
Sources: TikTok source 36 idea trigger, OWASP Top 10 for LLM Applications, OWASP: Prompt Injection
Final answer
AI skills and plugins should be treated like small pieces of software with permissions, not harmless prompt text.
Check the source, scripts, access, instructions, network behavior, secret exposure, and sandbox behavior before letting them touch real business data.