ESET — 3,000+ Malicious AI Skills Found in Agent Ecosystem Scan
AI relevance: Malicious AI agent skills are a direct supply-chain attack vector — poisoned tool packages that steal credentials, execute malware, or hijack agent behavior at scale.
- ESET's H1 2026 Threat Report scanned nearly 900,000 AI skills across agent ecosystems and identified over 3,000 malicious and 25,000+ suspicious entries.
- Between March and May 2026, unique skills scanned exploded from 60,000 to ~900,000 — a 15x growth in two months showing how fast the agent tool ecosystem is expanding.
- Malicious skill capabilities include: command execution, file access, downloading third-party tools, credential loading, code injection, and obfuscation.
- Some skills masquerading as security scanners performed only superficial checks, giving users a false sense of protection while doing nothing to detect real threats.
- Red-team, self-modifying, and online purchasing skills were also cataloged — adversarial tooling that can automate reconnaissance, modify malware, or buy resources on behalf of attackers.
- Adversaries are obfuscating intent using region-specific, niche, or constructed languages to bypass text-based security filters in skill review pipelines.
- The report also tracks ClickFix expansion into AI-themed pages — fake error messages hosted on domains associated with Anthropic, OpenAI, and Microsoft to trick users into running malicious commands.
Why it matters
AI agent skills are the new npm/PyPI — a massive, fast-growing ecosystem where supply-chain attacks can reach thousands of downstream users through a single poisoned package. Unlike traditional package managers, many agent skill ecosystems lack mandatory code review, signature verification, or sandboxing. The growth curve (60K → 900K skills in 8 weeks) means the attack surface is expanding faster than defensive tooling can keep up.
What to do
- Audit every AI skill before deployment — treat them like untrusted third-party code with full system access.
- Pin skill versions and monitor for unexpected capability changes between releases.
- Run agent skills in sandboxed environments with explicit permission boundaries — no implicit file system or network access.
- Implement runtime monitoring for agent tool calls: flag unexpected command execution, credential access, or outbound network connections.
- Prefer skills from verified publishers with signed manifests and reproducible builds.