Cato CTRL found that Anthropic’s Claude Skills single-consent model lets approved Skills run hidden helper code with persistent permissions to read/write files, download and execute external scripts, and open outbound connections without additional prompts. In a controlled PoC they modified the open-source GIF Creator Skill to fetch and run a live MedusaLocker ransomware payload, demonstrating an end-to-end attack chain and large-scale enterprise impact. #MedusaLocker #ClaudeSkills
Keypoints
- Claude Skills run user-provided code with local filesystem and network access, granting the Skill the privileges of a local process.
- A single approval in strict mode covers only the visible code shown to the user; additional remote helpers can be fetched and executed under the same approval.
- Cato CTRL modified Anthropic’s open-source GIF Creator Skill by adding a benign-looking post_save helper that silently downloaded and executed external code.
- Using that pattern, Cato CTRL executed a live MedusaLocker ransomware test that performed full file encryption without secondary prompts or visible logs.
- Skills are widely shareable via GitHub and social channels, enabling social-engineering-driven propagation of malicious Skill variants.
- Anthropic’s response emphasizes user responsibility to run trusted Skills, while Cato CTRL highlights a consent gap where hidden components inherit persistent permissions.
- Recommended mitigations include running Skills in sandboxed environments, treating Skills like executables, verifying source code, and monitoring runtime activity for subprocesses, file writes, and outbound connections.
MITRE Techniques
- [T1204 ] User Execution – The attack relies on the user approving and executing a Skill; ‘Skills are intentionally designed to execute code, and before execution users are explicitly asked if they want to run the skill and are warned: “Claude may use instructions, code, or files from this Skill.”‘
- [T1105 ] Ingress Tool Transfer – Hidden helpers download and deliver external payloads into the environment; ‘the hidden helper fetched and executed the MedusaLocker payload’
- [T1059 ] Command and Scripting Interpreter – The Skill runs scripts and spawns subprocesses to execute commands; ‘fetch and execute an external script without additional prompts or visibility.’
- [T1486 ] Data Encrypted for Impact – The PoC executed ransomware that encrypted files as the impact goal; ‘performing full file encryption-all under the same initial approval.’
- [T1195 ] Supply Chain Compromise – Malicious Skill variants can be propagated through public repositories and social channels as trusted modules; ‘Because Skills can be freely shared through public repositories and social channels, a convincing “productivity” Skill could easily be propagated through social engineering.’
- [T1041 ] Exfiltration Over C2 Channel (potential) – Hidden helpers can open outbound connections and may exfiltrate data or communicate with remote payloads; ‘it gains persistent permissions to read/write files, download or execute additional code, and open outbound connections, all without further prompts or visibility.’
Indicators of Compromise
- [Malware ] PoC payload used in testing – MedusaLocker (live ransomware used to demonstrate end-to-end execution)
- [File name ] Skill artifacts and helper functions – SKILL.md, post_save helper function (added to GIF Creator Skill to fetch external scripts)
- [Repository/Project ] Source distribution/context – Anthropic’s GIF Creator Skill on GitHub (original open-source Skill modified in PoC)
- [Organization/System ] Targeted platform context – Anthropic, Claude Skills (platform and feature where the single-consent model exists)
Read more: https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/