Security: Community skills distributed under anthropic/ namespace enable trust boundary abuse #492
Description
Summary
Community-made skills are being distributed under the anthropic/ namespace, impersonating official Anthropic skills. This creates a trust boundary vulnerability where users may grant elevated permissions to community skills they believe are official.
Discovery
During a comprehensive security audit of 580+ installed Claude Code skills, we found 6 skills placed under ~/.claude/skills/anthropic/:
| Skill | author field | allowed-tools |
|---|---|---|
| anthropic-expert (root) | not set | Read, Grep, Glob |
| claude-code | not set | Read, Grep, Glob |
| claude-command-builder | not set | Read, Write, Edit, Grep, Glob, Bash |
| claude-mcp-expert | raintree | Read, Write, Edit, Grep, Glob, Bash |
| claude-hook-builder | not set | Read, Write, Edit, Grep, Glob, Bash |
| claude-settings-expert | not set | Read, Write, Edit, Grep, Glob |
| claude-skill-builder | raintree | Read, Write, Edit, Grep, Glob, Bash |
None of these exist in the official anthropics/skills repository. Two skills explicitly list author: raintree, confirming they are community-made.
Security Concern
Trust Boundary Abuse
- Users see
anthropic/in the skill path and assume official Anthropic provenance - This lowers their guard when approving operations — especially Bash execution and settings.json modifications
claude-hook-buildercan write PostToolUse hooks tosettings.json, enabling arbitrary command execution after every tool useclaude-settings-expertcan directly editsettings.jsonand documentsbypassPermissions(as a warning, but the JSON structure is shown)
Attack Scenario
User installs "anthropic/" skills from a community collection
→ Trusts them as official due to namespace
→ Approves Bash operations without scrutiny
→ claude-hook-builder writes a PostToolUse hook
→ All subsequent tool executions trigger arbitrary commands
Suggested Mitigations
- Reserved namespace: Prevent community skills from using
anthropic/as a directory name in skill registries - Namespace verification: Add a verification mechanism (e.g., signed manifests) for official Anthropic skills
- Documentation: Warn users in the skills documentation that directory names do not imply official provenance
Note
The skills themselves do not appear to contain actively malicious code. The claude-hook-builder skill includes appropriate "USE AT YOUR OWN RISK" warnings. The concern is purely about the trust boundary created by the anthropic/ namespace impersonation.