Claude Code Policy: Write Managed Settings Fast
Read More
Blog

Shadow AI: The Skills and Plugins Nobody Approved

Author:
Eyal Ben Ezra
00 min
July 2, 2026

Most security teams are watching the wrong target. They have their eyes on rogue chatbots and MCP servers, while the fastest-growing form of shadow AI walks in through a plain markdown file. Skills and plugins are the new shadow AI, and most organizations cannot tell you how many are running right now.

A skill is a set of instructions your AI agent follows. A plugin is an installable package that can run code and reach your tools. Both get added in seconds, by almost anyone, and neither has to route through a central system to work. That is the whole problem. Capability spreads across the org, and nobody holds the list.

This guide breaks down what skills and plugins actually are, why they are a real security risk, why your existing tools miss them, and how to bring them under governance without slowing your teams down.

What is shadow AI?

Shadow AI is any AI tool, model, agent, skill, or plugin used inside an organization without the knowledge or approval of IT and security. Like shadow IT before it, it spreads because it makes people faster. Unlike shadow IT, it can read your data, run code, and act on your systems on its own.

The difference matters. A shadow SaaS app sat in a browser tab. A shadow AI agent, armed with an unapproved skill or plugin, can query a database, open a pull request, or move data out of the building. The blast radius is larger, and it is growing every week.

Skills and plugins are the new face of shadow AI

For the last year, the shadow AI conversation has been about MCP servers and consumer chatbots. Those are real. They are also the part everyone can see. The quieter risk is the one accumulating on laptops across the company: the skills and plugins your people connect by hand, every day, approved by no one.

It spreads from the ground up. Developers and non-developers alike wire their own capability into their agents to move faster, whether the company has a policy or not. By the time anyone asks how many are running, the honest answer is that no one knows.

What a skill actually is

A skill is a plain markdown file. It holds instructions your agent reads and follows: how to handle a task, which steps to take, what to prioritize. There is no code to compile and no install to approve. Anyone can drop one onto a machine, and the agent will follow it on the next run. That is the appeal, and the exposure. Your agents are following instructions nobody at your company has read.

What a plugin actually is

A plugin is an installable package that can run code. It bundles tools, connectors, and logic, and it can reach APIs, repositories, and internal services. A plugin is more capable than a skill, and more dangerous, because it does not just guide the agent. It executes. It installs in seconds and, like a skill, never has to pass through a central gateway to work.

MCPs sit alongside both. Together, skills, plugins, and MCPs form one ungoverned surface: capability added by hand, tied to no identity, logged nowhere.

Why ungoverned skills and plugins are a security risk

When you turn on discovery and show a team what is actually connected across their org, the number is always higher than they guessed. Underneath that number are concrete problems:

Secrets hiding in markdown files. API keys and tokens get pasted into skill files for convenience, then sit in plaintext on endpoints, outside any secrets manager.

Code execution nobody reviewed. Plugins run code. If a plugin is malicious, stale, or simply careless, it runs with whatever access the agent has.

Over-permissioned agents. Most agents are granted blanket access by default. A skill built for one task inherits far more reach than the task requires.

Prompt injection. A poisoned skill or a compromised plugin is a clean path for prompt-injection attacks, the risk category OWASP tracks as LLM06. Standard controls do not inspect it.

No audit trail. There is no owner, no approval record, and no link to a human identity. When something goes wrong, you cannot answer which agent, on whose behalf, touched which data, under which policy.

Malicious or not, stale or not, in policy or not, an unapproved skill is live either way. That is the state most organizations are in today.

Why traditional security misses shadow AI

DLP, IAM, CASB, and network gateways were built to govern humans and applications. They were not built for an agent that installs a markdown file locally and acts through an API. The install never crosses your network perimeter. The action happens at the prompt and tool layer, where legacy controls have no visibility.

This is why "we locked down MCP servers, so we are covered" is a false comfort. You secured the part you could see. Shadow AI is defined by the part you cannot.

How to govern shadow AI: visibility, policy, automation

Controlling skills and plugins comes down to three capabilities, in order.

  1. Visibility. You need to know which skills, plugins, and MCPs are installed across the company, who connected each one, and what it can touch. You cannot govern what you cannot count.
  2. Policy. Once you can see the surface, you decide what is allowed, what needs approval, and what should be blocked. The right altitude is the action, not the connection. Not "can this agent reach the database," but which data, under which conditions, doing what.
  3. Automation. No security team will manually review every skill file on every machine. Discovery and enforcement have to run continuously, scanning for new capability and applying policy the moment it appears.

One principle ties these together. You beat shadow AI by out-enabling it, not by outlawing it. A blocklist pushes people back into the shadows. A governed, self-serve path lets them move fast inside guardrails, which is the only version of this that survives contact with a real workforce.

How Willow governs shadow AI skills and plugins

Willow is the Agentic Access Platform for the enterprise. One control plane that governs every AI agent, tool, MCP, skill, and plugin, from the same place. It maps directly onto the three capabilities above.

Discovery you do not have today. A browser extension and an endpoint agent, pushed through MDM, surface unsanctioned skills, plugins, MCPs, and agents the moment they appear. This is the difference between securing what you already know about and seeing what you do not.

One view for the whole surface. Every skill and plugin in the org in one place: who connected it, what it can touch, and whether anyone approved it. The free-for-all becomes a governed marketplace, where approved skills and plugins install in one click, scoped to identity, with approval routed through Slack when needed.

Least privilege at runtime. Instead of granting blanket access, Willow generates the exact tools an agent needs for the task in front of it, and nothing else. This contains the blast radius, and it has a side benefit: one customer cut token consumption on certain tool operations by as much as 95%, because the model was no longer loading a catalog it never used.

Identity and audit by default. Every action ties to a real human on top of the identity provider you already run, whether that is Okta, Entra, Active Directory, or JumpCloud, and streams to your SIEM in real time. Audit-ready, not audit-someday.

The proof is in production. At Wix, Willow governs about 600 tools and MCPs and more than 300,000 tool calls a week, across roughly 5,000 weekly active users in HR, legal, finance, design, and R&D, not just engineering. Innovid governs developer machines around MCP and external-skill exposure. Riskified runs it in production. Willow is SOC 2 Type II, and most teams are live in seven days, not a pilot.

Security leaders can see the full picture on the shadow AI for security leaders page.

Frequently asked questions

What is shadow AI?

Shadow AI is any AI tool, model, agent, skill, or plugin used inside an organization without IT or security approval. It spreads because it makes people faster, and it is riskier than shadow IT because AI agents can read data, run code, and act on systems autonomously.

What are AI skills and plugins?

A skill is a plain markdown file of instructions an AI agent follows. A plugin is an installable package that can run code and connect the agent to tools, APIs, and internal systems. Both can be added by almost anyone in seconds, without central approval.

Why are skills and plugins a security risk?

They can hold secrets in plaintext, execute unreviewed code, over-permission agents, carry prompt-injection payloads, and leave no audit trail. Because they install locally and act through APIs, traditional DLP and IAM tools never see them.

How is shadow AI different from shadow IT?

Shadow IT was unapproved software and SaaS. Shadow AI is unapproved AI capability that can act on your systems. The exposure is larger because an agent with an unapproved skill can query data, run code, and move information without a human in the loop.

How do you detect shadow AI skills and plugins?

You need continuous discovery at the endpoint and browser, where skills and plugins are actually installed, since they never route through a network gateway. Willow uses a browser extension and an MDM-deployed endpoint agent to surface unmanaged skills, plugins, and MCPs as they appear.

Can you just block AI skills and plugins?

Blocking pushes people back into the shadows and slows the business. The durable approach is governed enablement: discover everything, set policy per skill and action, and give employees an approved, self-serve path so they move fast inside guardrails.

The bottom line

You can't govern what you can't count, and right now, most organizations can't count. Skills and plugins are already inside your org, connected to sensitive tools, running on permissions no one approved. The question is not whether to allow AI. It is whether you can see it, scope it, and prove it.

Willow brings every skill, plugin, and agent into one governed view. See it in five minutes, no sales call required.

Everything you need to get your Basecamp running.

Blog

What's happening on the AI agent frontier.

Documentation

Get up and running fast.

Rollout playbook

How to deploy across your org without chaos.

Your agents are already in the wild.

Give them a Basecamp. Go from AI chaos to AI work, in minutes.