ESET — 3,000+ Malicious AI Skills Found in Agent Ecosystem Scan

AI relevance: Malicious AI agent skills are a direct supply-chain attack vector — poisoned tool packages that steal credentials, execute malware, or hijack agent behavior at scale.

  • ESET's H1 2026 Threat Report scanned nearly 900,000 AI skills across agent ecosystems and identified over 3,000 malicious and 25,000+ suspicious entries.
  • Between March and May 2026, unique skills scanned exploded from 60,000 to ~900,000 — a 15x growth in two months showing how fast the agent tool ecosystem is expanding.
  • Malicious skill capabilities include: command execution, file access, downloading third-party tools, credential loading, code injection, and obfuscation.
  • Some skills masquerading as security scanners performed only superficial checks, giving users a false sense of protection while doing nothing to detect real threats.
  • Red-team, self-modifying, and online purchasing skills were also cataloged — adversarial tooling that can automate reconnaissance, modify malware, or buy resources on behalf of attackers.
  • Adversaries are obfuscating intent using region-specific, niche, or constructed languages to bypass text-based security filters in skill review pipelines.
  • The report also tracks ClickFix expansion into AI-themed pages — fake error messages hosted on domains associated with Anthropic, OpenAI, and Microsoft to trick users into running malicious commands.

Why it matters

AI agent skills are the new npm/PyPI — a massive, fast-growing ecosystem where supply-chain attacks can reach thousands of downstream users through a single poisoned package. Unlike traditional package managers, many agent skill ecosystems lack mandatory code review, signature verification, or sandboxing. The growth curve (60K → 900K skills in 8 weeks) means the attack surface is expanding faster than defensive tooling can keep up.

What to do

  • Audit every AI skill before deployment — treat them like untrusted third-party code with full system access.
  • Pin skill versions and monitor for unexpected capability changes between releases.
  • Run agent skills in sandboxed environments with explicit permission boundaries — no implicit file system or network access.
  • Implement runtime monitoring for agent tool calls: flag unexpected command execution, credential access, or outbound network connections.
  • Prefer skills from verified publishers with signed manifests and reproducible builds.

Sources