AI Skills as an Emerging Attack Surface in Critical Sectors: Enhanced Capabilities, New Risks

The emerging exposure patterns highlight the need to examine the broader threat model and attack vectors introduced by AI skills.

AI skills as an unconventional attack surface

AI skills represent an underestimated attack surface.

In essence, LLM skills are a form of knowledge preservation. This capability can produce both highly beneficial and potentially harmful outcomes.

Among the positives:

• Domain-knowledge analysts can distill their knowledge into shareable “skills,” enabling others (possibly less-experienced engineers in that domain) to reuse these capabilities in their own workflows. This makes the knowledge more widely available and accessible across the organization.
• Skills can automate processes, such as in security monitoring, where AI-enabled security operations centers (SOCs) automate monitoring and initial triage.

However, these same advantages introduce new risks. AI skills expand an organization’s attack surface. Attackers will choose to seek out vulnerabilities not only in the underlying components that AI skills depend on but also in the skill logic itself.

Moreover, an AI skill is itself a form of proprietary data. Skills might contain sensitive operational information, such as thresholds and triggers an organization uses in its processes or an organization’s handling procedures for sensitive data. Risks become apparent in all major critical industries. Knowledge about thresholds, for example, can be leveraged to manipulate the severity of notifications or exploit decision-making logic.

If an attacker gains access to the logic behind a skill, it can give them substantial opportunity for exploitation. An attacker might also simply decide to trade or leak acquired data, thus exposing sensitive organizational information. The risks for these attack scenarios are particularly acute for AI-enabled SOCs.

SOC-specific implications and injection attack vectors

SOCs face unique risks when integrating AI skills into their processes. Attackers can analyze scenarios within an AI skill and attempt to exploit its execution logic. The core challenge lies in the fact that skills inherently introduce a heightened risk for injection-based attack vectors.

AI skills mix user-supplied data with user-supplied instructions, and skill definitions might also mix both data and instructions and can reference external data sources. This combination of data and executable logic creates an ambiguity, which in turn makes it difficult for defense tools — and even the AI engine itself — to safely differentiate between genuine analyst instructions and attacker-supplied content. Hence, the inability to defend against injection attacks.

As a result, AI skills become susceptible to AI-native injection attacks mirroring classic exploitation attacks, like SQL injection, but in the context of an AI engine. AI skills inadvertently create conditions for AI variants of traditional injection attacks, where malicious content can manipulate LLM execution logic.

Escalation path: From tactical to strategic

Unauthorized access to AI skills leads to a dangerous escalation path.

When collected systematically by a malicious attacker, AI skills can reveal critical organizational business processes that reveal sensitive insights into how an enterprise operates, makes decisions, and defends itself.

The more AI skills attackers compromise, the more advantages they gain:

• One or two skills provide tactical advantage (e.g., identifying specific detection blind spots)
• Over 20 skills enable strategic modeling (e.g., provide a complete understanding of SOC priorities)
• A complete skill set enables full behavioral prediction and digital twin creation (e.g., construction of digital twins of security analysts)

The cumulative impact of such breach grows exponentially.

Once AI skills have been compromised, attackers retain long-term knowledge into an organization’s security posture, which is unlikely to change much over time. Preventing unauthorized access to AI skills is therefore essential to eliminate this entire escalation path.