Claude Skills feature exposes new ransomware risk
Businesses are being warned that productivity tools in Claude Skills, launched by Anthropic in October, can be weaponized to deploy ransomware.
The warning comes from a Cato Networks security researcher who has demonstrated how the AI threat landscape is moving beyond tricking large language models with “jailbreaks” to hijacking AI assistants themselves by weaponizing their plug-in tools.
Claude Skills are productivity tools that allow users to teach Claude specific workflows, like formatting documents, building spreadsheets, or following company style, so it can perform those tasks consistently, automatically, and without the need to rewrite prompts.
However, researcher Inga Cherny, working for Cato Networks' research arm Cato CTRL, found that, with minimal modification, a seemingly legitimate Claude Skill can be weaponized to execute ransomware.
In a blog post, Cherny documented how she demonstrated the risk by altering a popular open-source “GIF Creator” Skill. She inserted what appeared to be a harmless function that, once the Skill was approved by the user, downloaded and executed external code.
Ransomware unleashed to test Claude Skills
While Claude reviewed the visible script before running, it failed to detect the hidden payload that the Skill fetched afterward: a remote script containing the MedusaLocker ransomware.
Working in a controlled environment, Cherny found that once triggered, the ransomware behaved exactly as it would in a real-world incident: encrypting files and demonstrating how easily a trusted Skill could become a delivery mechanism for a full-scale compromise.
According to Cherny, the process required little expertise and that “anyone can download, tweak and re-upload a Skill” and even used Claude’s own code assistant to ask where the modification should be placed.
The sequence of events was as follows:
- User asks for GIF creation
- Claude invokes GIF creator skill from GitHub
- Claude creates Python script
- Claude runs Python script to create GIF
- Claude downloads and executes a ‘helper script’
- Claude downloads and executes MedusaLocker ransomware
Anthropic responds
Cato shared its findings with Anthropic on October 30th, but the Gen AI firm put the onus for safety checks on users, saying that Skills are explicitly designed to execute code, and users are warned before enabling them.
“It is the user’s responsibility to only use and execute trusted Skills,” it added
Cato’s argument is that while code execution is central to how Skills work, the security model leaves too much room for misuse.
Once a user approves a Skill, Cato says, it gains ongoing permission to read and write files, download additional components, and make network connections, all without further prompts.
That “consent gap,” the researchers argue, allows malicious add-ons to operate invisibly after the initial approval.
Advice for businesses using Claude Skills
Cato adds that the concern is heightened by the rapid uptake of Claude Skills amongst its 300,000 enterprise customers.
A convincing “productivity” Skill, shared through public repositories or social channels, could potentially spread ransomware across multiple companies at once.
The report concludes that while Claude Skills is undoubtedly helpful for enterprises, its reusable AI automation opens up the door to abuse.
Without greater transparency, clearer permission controls, and monitoring of Skills’ runtime behaviour, a single user approval could lead to a full enterprise compromise.
Cato advises enterprises to use only trusted Skills and monitor their behaviour closely, treating them with the same caution as any other code running inside the organization.
Unlock exclusive Cybernews content on YouTube
