The so-called “AI skills” used to scale and execute AI operations are dangerously exposed to data theft, sabotage and disruption, TrendAI has warned.

The newly named business unit of Trend Micro explained in a report published this week that AI skills are artifacts combining human-readable text with instructions that large language models (LLMs) can read and execute.

“AI skills encapsulate everything, from elements like human expertise, workflows, and operational constraints, to decision logic,” the report explained. “By capturing this knowledge into something executable, AI skills enable organizations to achieve scalability and knowledge transfer at previously unattainable levels.”

Examples of this approach are Anthropic’s Agent Skills, GPT Actions by OpenAI and Copilot Plugin by Microsoft.

Read more on AI threats: AI Security Threats Loom as Enterprise Usage Jumps 91%.

In this way, these artifacts could support use of AI for trading in financial services, enhanced service delivery in the public sector, or content generation in the media sector, TrendAI said.

However, these skills also pose a risk to enterprise security because they may expose customer/proprietary data, and decision-making logic.

“If an attacker gains access to the logic behind a skill, it can give them substantial opportunity for exploitation,” the report warned. “An attacker might also simply decide to trade or leak acquired data, thus exposing sensitive organizational information.”

With access to operational data and business logic, adversaries could disrupt public services, sabotage manufacturing processes, steal patient data, and much more.

AI-Enabled SOCs Face Rising Risks

The risks for these attack scenarios are particularly acute for AI-enabled SOCs.

Threat actors could identify and exploit detection blind spots in a SOC. Injection attacks are a major challenge in this regard, the TrendAI report claimed.

“AI skills mix user-supplied data with user-supplied instructions, and skill definitions might also mix both data and instructions and can reference external data sources,” TrendAI explained.

“This combination of data and executable logic creates an ambiguity, which in turn makes it difficult for defense tools – and even the AI engine itself – to safely differentiate between genuine analyst instructions and attacker-supplied content. Hence, the inability to defend against injection attacks.”

Principles for Securing AI Skills

The challenge for network defenders is that many of their security tools are unable to effectively detect, analyze and mitigate threats from unstructured text data, which AI skills are.

To help these teams, the report outlined a new eight-phase kill chain model specific to AI skills, and where there are new opportunities to detect malicious activity. It recommended running skills integrity monitoring, looking for SOC logic manipulation, and hunting for execution, credential access and data flow anomalies.

Established security best practices can also help. The report concluded with the following:

• Treat skills as sensitive IP by assessing and mitigating risk throughout the lifecycle, with proper access control, versioning and change management
• Separate skill logic and data from untrusted user-supplied data. The latter can lead to exploitation opportunities
• Limit execution privileges by applying least-privilege principles when designing skills, and limiting execution context to minimum-required permissions in order to prevent lateral movement
• Test how adversaries might exploit operational logic before deployment
• Monitor, log and audit continuously, as you should for any business process. This is especially important in AI-enabled environments where traditional security boundaries blur