820 Malicious Agent Skills and Nobody Noticed

In early February, researchers at Koi Security flagged 324 malicious skills on ClawHub. Three weeks later, they found 820. The number keeps climbing.

Agent skill marketplaces are repeating every security mistake app stores made a decade ago, but with higher stakes. Agents have system-level access that mobile apps never had. Builders need to audit every third-party skill for publisher identity, update history, and permission scope before deployment.

What Did Koi Security Actually Find?

Koi Security’s latest scan of ClawHub (the primary marketplace for AI agent extensions) uncovered more than 820 skills designed to steal data, execute arbitrary commands, or poison agent behavior. The jump from 324 to 820 in weeks suggests threat actors are scaling up faster than detection can keep pace. Most organizations installing third-party skills have no audit process whatsoever.

How Did We Get Here?

Agent skill marketplaces are repeating every security disaster that happened to app stores. Remember Android’s early days, before Google added scanning? Malware was rampant. Same story on iOS—fake apps slipped through review. The pattern’s consistent: marketplaces prioritize speed and volume over vetting.

The difference now is scope. Mobile apps run in sandboxes. They request specific permissions (camera, location, contacts) that users can deny. Agent skills have system-level access. They can read files, execute code, modify memory, and call other tools without traditional permission boundaries. A malicious skill doesn’t ask permission to read your API keys or intercept your database calls. It just does it.

What Are These 820 Skills Actually Doing?

The Koi Security research breaks down into predictable attack patterns:

Data exfiltration. Skills that masquerade as utilities but phone home with credentials, API tokens, or conversation logs. You install what looks like a “PDF summarizer” and it’s quietly uploading your company’s proprietary documents.

Command execution. Skills that accept seemingly innocent inputs (a file path, a URL parameter) and use them to run arbitrary shell commands. This is the same attack class that took down Jenkins servers for years.

Model poisoning. This is newer. Skills that inject false information into agent memory or training data, causing the agent to give incorrect or harmful advice downstream. Microsoft’s recent research found 50+ recommendation poisoning attacks across 31 organizations in 60 days alone.

Identity manipulation. Adversa AI’s March 2026 roundup flagged a new attack class: malicious skills that create fake identity files (SOUL.md) or corrupt persistent memory. These let attackers impersonate legitimate users or agents within your system.

The Marketplace Trust Problem

Installation counts, star ratings, and publisher reputation are all gameable. Here’s how it works in practice:

A threat actor creates a skill that solves a real problem—say, it does JSON parsing well. They build trust. After a few weeks, the skill gets an update. Now it does JSON parsing and exfiltrates environment variables. By then, thousands of agents are running it.

The damage has a long tail. You don’t find the compromise the day it happens. You find it when someone notices your AWS keys showed up in logs you don’t control. Or when your customer data appears for sale on a dark web forum. Or when an agent starts giving advice that contradicts everything you trained it to do.

43% of MCP servers (the infrastructure layer beneath agent skills) are vulnerable to command execution vulnerabilities according to recent analysis. That’s not a marginal problem. That’s a structural one.

What Builders Are Missing

We vet the people we hire. Background checks, references, interviews. But most organizations install third-party agent skills with zero friction. No audit. No permission review. No update tracking.

Agent skills are like hiring a contractor who shows up with their own equipment. You never check what’s in the toolbox. You assume it’s safe because the platform has a star rating.

The infrastructure isn’t helping. Agent skill marketplaces don’t provide:

• Signed attestations about what a skill does
• Change logs that highlight permission escalations
• Automated scanning results that users can see before install
• Revocation mechanisms if a publisher gets compromised

Some platforms are starting to address this. But the default state is open season.

What You Should Do Monday Morning

If your agents use third-party skills, you need answers to three questions about each one:

1. Who published it? Is this a person, a known company, or an anonymous account? When was the account created? Did it publish anything else?

2. When was it last updated? Skills that haven’t been touched in a year are higher risk. So are skills that just got updated without any changelog. Sudden updates from dormant accounts are a huge red flag.

3. What permissions does it request? Can it read files? Execute commands? Modify memory? Call other tools? Compare the permissions it claims to need against what it actually does. Mismatches suggest hidden functionality.

This takes time. That’s the point. The friction is the security.

If you can’t answer these questions, you shouldn’t deploy that skill. Not because all third-party skills are bad. Most are fine. But the cost of finding out the hard way is too high now. The threat actors have already found the scalable path.

Tomorrow: what happens when the agents running these skills are invisible to your security team. 70% of enterprises can’t even count how many agents they have in production. That’s the identity dark matter problem, and it makes everything we covered today worse.

---