A skill is just a program for an LLM agent. This just seems like works-as-expected. Are the five lines in the skill notably innocuous or something? I don't mean to dismiss it out of hand but I don't understand what happened here because it seems to read "`curl $url | bash` can exfiltrate data" which seems pretty straightforward that it can.
Exfiltrates: to steal sensitive data from a computer system (for example, via a flash drive).
I'm not going to defend Microsoft here, but the title (at the source blog) is misleading and a bit rage-baity. What happened with Cowork may have been rushed, possibly due to incompetence, but incompetence is not malice. This framing is also recycled across a few of the author's other interesting findings.
Within the article, the wording is much more accurate: “The victim uploads a skill file to Copilot Cowork that contains a prompt injection,” and “The injection manipulates Microsoft Copilot Cowork into posting a Teams message that exfiltrates pre-authenticated file download links when viewed.”
Well, isn't that swell - good that meanwhile countless MBA cretins have "adopted" enterprise-wide Copilot integrations, to make their companies "AI native" or whatever the word is on LinkedinLunatics street these days.
Didn't the first 365 copilot lauch have a whole rollback as they belateded realised the rag setup would often ignore file access and permissions, so queries like "List the highest paid members of x team sorted by salary" would just work etc?
The combo of rushing with a technology that isn't very easy to control, understand or securely limit is just mad to me.
AKA, if a malicious skill got into your AI agent, you're cooked.
I think this isn't surprising, nor do I think it should be considered a prompt injection at all. An AI skill is akin to a plugin for traditional software - if you install a malicious IDE extension or Outlook plugin, the attacker can also do whatever they want to the PC and exfiltrate whatever data they want to. So this article is a big nothingburger.
i think people are probably already doing it. i made a skill scanner but it's also just easy to download a zip and inspect the contents... but people are loading these things remotely. i agree that it is easy to not install a pentester's magic skill, but the attack capabilities a skill can have are pretty insane. people should just make their own is my pov.
While debugging in Cursor a couple weeks ago, Opus 4.6 chirped it had discovered that my token, when base64 decoded, had a date that was in the past - perhaps expired?
And it was expired!
And I was happy. And some time passed - and I realized it had read my .env file and performed operations on my API keys.
That these models do all this stuff already makes me assume any skill take over is simply trivial.
Thankfully inserting malicious skills is not something that can easily be done, you need to a lot of things wrong and the attacker to do a lot of things right in order for it to be exploited.
Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.
ai skill is not just a plugin. given the right model, supposedly, it can do much more. since everyones harness tends to be tied to the model, it has a whole tool set to use.
Nice find. We're PoCing Cowork and I've personally been impressed with it so far, but it seems we'll have to wait with a wider rollout until Microoft give us more admin feature to turn off what users can do with it.
> Note: Admins have limited oversight of ‘Skills’, as Skills in Copilot Cowork are automatically loaded from a specific path in a user’s OneDrive.
I feel this part is a bit disingenuous. We have full control over the sharepoint containers which house users personal onedrives. We actively scan them and prevent a lot of files from getting in them. That being said, it's still a fair point, because a "skill" could basically be a text file.
A skill is just a program for an LLM agent. This just seems like works-as-expected. Are the five lines in the skill notably innocuous or something? I don't mean to dismiss it out of hand but I don't understand what happened here because it seems to read "`curl $url | bash` can exfiltrate data" which seems pretty straightforward that it can.
A skill is just instructions that the agent can autonomously copy into context. There’s no trust boundary between trusted and untrusted context.
Exfiltrates: to steal sensitive data from a computer system (for example, via a flash drive).
I'm not going to defend Microsoft here, but the title (at the source blog) is misleading and a bit rage-baity. What happened with Cowork may have been rushed, possibly due to incompetence, but incompetence is not malice. This framing is also recycled across a few of the author's other interesting findings.
Within the article, the wording is much more accurate: “The victim uploads a skill file to Copilot Cowork that contains a prompt injection,” and “The injection manipulates Microsoft Copilot Cowork into posting a Teams message that exfiltrates pre-authenticated file download links when viewed.”
Well, isn't that swell - good that meanwhile countless MBA cretins have "adopted" enterprise-wide Copilot integrations, to make their companies "AI native" or whatever the word is on LinkedinLunatics street these days.
MS rushed this to production, sure they call it a beta feature but it's clear it was super rushed. They're desperate to be relevant.
Didn't the first 365 copilot lauch have a whole rollback as they belateded realised the rag setup would often ignore file access and permissions, so queries like "List the highest paid members of x team sorted by salary" would just work etc?
The combo of rushing with a technology that isn't very easy to control, understand or securely limit is just mad to me.
"Beta" in their world appears to be yolo-commit and mic drop.
The amount of brokenness in Teams never stops to astonish. It's that bad I think it's a psyop to nudge people back to the office.
AKA, if a malicious skill got into your AI agent, you're cooked.
I think this isn't surprising, nor do I think it should be considered a prompt injection at all. An AI skill is akin to a plugin for traditional software - if you install a malicious IDE extension or Outlook plugin, the attacker can also do whatever they want to the PC and exfiltrate whatever data they want to. So this article is a big nothingburger.
If this can be exploited via a skill, then it can be exploited via untrusted input inserted into context. Does Cowork help with reading email?
i think people are probably already doing it. i made a skill scanner but it's also just easy to download a zip and inspect the contents... but people are loading these things remotely. i agree that it is easy to not install a pentester's magic skill, but the attack capabilities a skill can have are pretty insane. people should just make their own is my pov.
While debugging in Cursor a couple weeks ago, Opus 4.6 chirped it had discovered that my token, when base64 decoded, had a date that was in the past - perhaps expired?
And it was expired!
And I was happy. And some time passed - and I realized it had read my .env file and performed operations on my API keys.
That these models do all this stuff already makes me assume any skill take over is simply trivial.
Only if it has access to exfiltrate data. We deny by default and the company has to allowlist each individual destination.
I wonder if via-skill could become a software distribution channel. A bit like what has happened with LLM wiki
Its actually even worse — its advertising for their product
Thankfully inserting malicious skills is not something that can easily be done, you need to a lot of things wrong and the attacker to do a lot of things right in order for it to be exploited.
Basically everyone I know is installing almost random skills collections...
Unlike plugins in traditional software, skills do not represent a carveout from any security boundary nor run with elevated trust. They're just selectively loaded context. Anything you can convince an agent to do with a skill you can convince it to do without one.
ai skill is not just a plugin. given the right model, supposedly, it can do much more. since everyones harness tends to be tied to the model, it has a whole tool set to use.
It's yet another surface for dependency attacks
Nice find. We're PoCing Cowork and I've personally been impressed with it so far, but it seems we'll have to wait with a wider rollout until Microoft give us more admin feature to turn off what users can do with it.
> Note: Admins have limited oversight of ‘Skills’, as Skills in Copilot Cowork are automatically loaded from a specific path in a user’s OneDrive.
I feel this part is a bit disingenuous. We have full control over the sharepoint containers which house users personal onedrives. We actively scan them and prevent a lot of files from getting in them. That being said, it's still a fair point, because a "skill" could basically be a text file.
Large-scale adoption will take time; we still need a lot more infrastructure, such as security, auditing, and payment systems.
Ah yes, hackers capitalizing on human's laziness. Always ggwp.
But maybe we can like invent a program that will avoid the consequences of laziness while allowing us the benefits of the shortcuts!
Here's my repo for running copilot in a vm
github.com/gokuvegeta894/node-copilot-vm
(Fake link, if someone typosquats the above link and it exists, assume it's malware)