Researchers Exploit Anthropic ‘Skills’ to Deliver Ransomware

The short version

Security researchers at Cato Networks showed that a popular, open‑source “Skill” for Anthropic’s Claude can be tweaked to silently download and execute MedusaLocker ransomware—no jailbreak needed. The demo didn’t rely on tricking the model with prompts; it abused the new Skills plug‑in system, which is designed to run code. Anthropic acknowledged the risk and pointed to user responsibility and built‑in warnings. Axios first reported the finding, and Cato published technical details the same day.

What happened

On December 2, 2025, Cato Networks’ researcher Inga Cherny disclosed a proof‑of‑concept (PoC) showing how a benign Claude “Skill” could be weaponized to deploy the MedusaLocker ransomware in a controlled lab. The team started with Anthropic’s open‑source “GIF Creator” Skill, added a helper function that fetched and ran a remote script, and then used Claude Code to execute the Skill. Because only the visible, on‑disk code was surfaced for review, Claude and the user never saw the malicious payload that was pulled at runtime. The chain culminated in full file encryption in the test environment. Axios’ write‑up and Cato’s technical blog both detail the approach. Cato CTRL blog.

How the PoC attack worked

What are Claude Skills, exactly?

Anthropic launched Skills on October 16, 2025 as portable, composable modules—folders of instructions and files (and optionally scripts)—that Claude loads only when relevant. They’re meant to package workflow know‑how (e.g., “use our brand template for slides” or “work with Excel safely”) and can be used across Claude apps, Claude Code, and the API. Critically, Anthropic’s own description notes that Skills can include executable code and that users should install only from trusted sources. Anthropic product post, Help Center, Agent Skills docs, and the anthropics/skills repository.

Why that matters for security

This is a classic software‑supply‑chain problem. Once a Skill is approved to run, it can:

• Read and write files and spawn processes within its execution context.
• Make outbound network calls if not blocked by policy.
• Indirectly pull in code or content that wasn’t part of the reviewed bundle.

Anthropic’s documentation highlights these risks and urges auditing any third‑party Skills, especially those that fetch external resources. Agent Skills docs.

How the exploit bypassed user expectations

Cato calls out a “consent gap”: approval prompts showed code on disk, but not the remote script fetched later by the helper function. From the user’s point of view, the approved script looked harmless. In practice, that approval extended trust to the script’s subprocesses and network fetches, which then pulled a MedusaLocker payload. Cato CTRL, Axios.

For context, MedusaLocker is a long‑running ransomware family (tracked since 2019) and distinct from the “Medusa” RaaS variant that CISA warned about in 2025. SC Media on MedusaLocker, CISA MedusaLocker advisory (archived), and CISA Medusa advisory (2025).

What Anthropic says—and what’s changing

Anthropic’s response to the disclosure emphasized that Skills are designed to execute code, users see warnings before execution, and it’s the user’s responsibility to run only trusted Skills. Axios, Cato CTRL.

Separate from this incident, Anthropic has been rolling out stronger guardrails in Claude Code via OS‑level sandboxing that can enforce filesystem scoping and network egress allowlists—reducing “approval fatigue” and constraining what spawned processes can do. Those controls are configurable and can be run locally or via Claude Code on the web. They’re not a silver bullet, but they directly target the class of “download and run” abuse shown in the PoC. Anthropic engineering post on sandboxing, Code execution tool docs.

Why this should be on every CIO/CISO’s radar

LLM plug‑in ecosystems turn AI assistants into automation platforms. That’s great for productivity—and equally attractive for attackers. The path of least resistance is shifting from jailbreaks to hijacking an assistant’s tooling and supply chain (Skills, MCP servers, connectors, package dependencies). Axios, Anthropic Agent Skills docs.

IBM’s 2025 Cost of a Data Breach report pegs ransomware incidents disclosed by attackers at an average $5.08M—before considering regulatory fines or long‑term churn. Help Net Security summary of IBM report, IBM report hub.

What teams should do now (practical guardrails)

What to watch next

• Per‑Skill permissions and second‑phase prompts: Expect vendors to add explicit egress scopes and “ask again on first network call” flows for Skills that load remote code.
• Signing and provenance: Trust frameworks (signing, SBOMs for Skills, internal catalogs) are the logical next step for enterprise rollouts.
• Cross‑ecosystem exposure via MCP: Community tools increasingly let “Claude‑style” Skills run in other agent clients. That portability is useful—and expands the attack surface. (See community MCP servers bridging Skills beyond Claude.) Example community project.

Sources

• Axios: Exclusive—Researchers trick Claude plug‑in into deploying ransomware (Dec 2, 2025). Link
• Cato CTRL: From Productivity Boost to Ransomware Nightmare – Weaponizing Claude Skills with MedusaLocker (Dec 2, 2025). Link
• Anthropic (product post): Introducing Agent Skills (Oct 16, 2025). Link
• Anthropic Help Center: What are Skills? (Updated Dec 2, 2025). Link
• Anthropic Docs: Agent Skills—security considerations. Link
• Anthropic Engineering: Beyond permission prompts—Claude Code sandboxing (Oct 20, 2025). Link
• GitHub: anthropics/skills repository (open‑source examples). Link
• CISA: #StopRansomware—MedusaLocker (archived, 2022). Link
• CISA: #StopRansomware—Medusa (Mar 12, 2025). Link
• IBM: Cost of a Data Breach 2025 (report hub) and coverage (Aug 2025). Link, Help Net Security summary