profero.io via Reddit

Profero Exposes Claude Skill-File Persistence Attack

anthropic cybersecurity agents ai-security

Key insights

  • Claude Desktop's --allow-dangerously-skip-permissions flag removes all permission prompts, keeping only two hardcoded guards blocking recursive deletion commands.
  • Skill files at ~/.claude/skills/ are plain markdown with no signatures or checksums, making injected payloads indistinguishable from legitimate agent writes.
  • Attackers with only Write or Edit access in a low-privilege session can stage payload execution in a later fully-permissioned Claude session.

Why this matters

The --allow-dangerously-skip-permissions flag is a current Claude Desktop production feature, meaning this attack surface is live in any environment where agents run with that parameter today. The four-step chain (inject into a skill file, persist, trigger in a new session, execute with elevated permissions) requires only Write or Edit tool access at the outset, a capability many AI agent workflows grant by design, keeping the entry bar low. No existing EDR or file-integrity monitoring framework is configured to treat markdown files in ~/.claude/skills/ as trusted execution context, leaving a detection gap that session-scoped permission controls alone cannot close.

Summary

Profero's EDR detection flagged Claude Desktop's --allow-dangerously-skip-permissions flag and found a cross-session persistence attack that existing threat models aren't built to catch. The flag strips all permission prompts from child processes except two hardcoded guards against recursive deletion. With Write or Edit tool access in a constrained session, an attacker can inject payloads into skill files at ~/.claude/skills/, plain markdown files with no checksums or integrity verification. Those files load as trusted context in later sessions that may carry full permissions. Essentially: (Profero, Claude Desktop) a sandboxed session becomes a staging ground for payload execution in a subsequent privileged one. - Skill files carry no signatures or checksums; injected writes are indistinguishable from legitimate agent behavior. - Read risks include ~/.ssh/id_rsa, .env files, and ~/.aws/credentials. - Deferred write vectors include shell configs, git hooks, and SSH keys executed outside the original session. The attack isn't a single flaw; it's prompt injection combined with write access to trusted context that persists across session boundaries.

Potential risks and opportunities

Risks

  • Enterprises running Claude Desktop agents in CI/CD pipelines risk silent modification of git hooks and shell configs, corrupting build processes before any detection rule fires.
  • Security teams relying on session-scoped permission controls as a containment boundary will find that boundary ineffective against skill-file persistence, requiring a full audit of ~/.claude/skills/ contents across all agent deployments.
  • Read-access compromise of ~/.ssh/id_rsa or ~/.aws/credentials in an initial low-privilege session enables lateral movement to cloud infrastructure or remote systems before the originating session is reviewed.

Opportunities

  • EDR vendors can extend existing file-integrity monitoring to cover ~/.claude/skills/ and deliver immediate detection coverage for this specific attack chain with minimal new tooling.
  • Security firms offering AI agent red-teaming gain a concrete, demonstrable persistence chain to anchor new service offerings around AI-specific threat modeling.
  • Anthropic could differentiate Claude Desktop by shipping cryptographic integrity checks for skill files, positioning it as the first AI agent runtime with verifiable trusted context loading.

What we don't know yet

  • Whether Anthropic has issued or plans an advisory or patch addressing the skill-file persistence vector as of June 2026.
  • Whether integrity mechanisms such as signatures or checksums for ~/.claude/skills/ files are on Claude Desktop's near-term roadmap.
  • How broadly --allow-dangerously-skip-permissions is deployed across enterprise Claude Desktop installations and whether any confirmed in-the-wild exploitation has been observed.

Originally reported by profero.io

Read the original article →

Original headline: We Added a Detection Rule. We Were Not Expecting This. — Cross-Session Claude Skill-File Persistence Attack Discovered