Notifications
Clear all
Topic starter
09/06/2026 11:59 pm
TL;DR: AI agent skill marketplaces can be weaponized through spoofed popularity signals, non-continuous scanning, silent overrides, and blind bulk updates, allowing malicious skills to reach users with persistent code execution, according to Orca Security. Treating skills as untrusted code is now a supply chain identity problem, not just a developer convenience issue.
NHIMG editorial — based on content published by Orca Security: LLMjacking and malicious AI agent skill supply chain risks
Questions worth separating out
Q: What breaks when AI agent skills are not reviewed before installation?
A: The main failure is that malicious instructions can hide inside a skill that appears legitimate, then execute under the agent’s delegated access.
Q: Why do AI agent skill marketplaces create a governance risk for IAM teams?
A: They create risk because they distribute executable behaviour through a trust layer that looks like content, not identity.
Q: How do security teams know whether agent skills are actually under control?
A: They should look for version pinning, per-skill ownership, change diffs before update, and collision warnings when a name is reused.
Practitioner guidance
- Inventory installed agent skills as first-class identities Track every skill, its source repository, version, install date, and the commands or workflows it can trigger.
- Require explicit diff review before updates Block bulk refreshes that change all skills at once.
- Treat name collisions as hostile until verified If a newly installed skill uses the same name as a trusted one, force a warning and manual verification before replacement occurs.
What's in the full report
Orca Security's full research covers the operational detail this post intentionally leaves for the source:
- A worked example of how install count inflation can be triggered through unauthenticated telemetry.
- The exact sequence of the bait-and-switch, nested injection, and delayed weaponization attack flows.
- Proof-of-concept evidence showing code execution on end-user systems from malicious agent skills.
- Defensive recommendations for platform operators, including authenticated telemetry and per-skill updates.
👉 Read Orca Security's analysis of malicious AI agent skills and supply chain abuse →
AI agent skill marketplaces: what IAM teams need to watch?
Explore further
10/06/2026 2:33 am
AI agent skill marketplaces are becoming identity distribution layers, not just extension stores. Once a skill can change agent behaviour, invoke commands, and persist through updates, the marketplace is part of the identity trust chain. That shifts the problem from code quality to delegated execution integrity, where provenance and lifecycle control matter as much as scanning. Practitioners should treat skill installation as a privileged trust event, not a routine add-on.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: What should organisations do when an agent skill can silently replace another skill?
A: They should treat silent replacement as a control failure and block it at the policy layer. A skill name should not be enough to override an existing trusted skill without an explicit prompt, provenance check, and review of the source repository. Otherwise, the environment cannot distinguish maintenance from substitution.
👉 Read our full editorial: AI agent skill marketplaces expose a new supply chain risk
