Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Malicious skills in agentic AI: what does this change for teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9271
Topic starter  

TL;DR: Malicious skills can quietly instruct agents to download malware, exfiltrate code, or manipulate recommendations, turning agentic AI supply chains into a new attack surface, according to HiddenLayer. The security gap is structural because trust, provenance, and runtime isolation were not designed for skill packages that execute at agent speed.

NHIMG editorial — based on content published by HiddenLayer: The Next AI Supply Chain Risk: Malicious Skills in Agentic AI

By the numbers:

  • OpenClaw gained over 370k stars on GitHub in less than half a year’s time.

Questions worth separating out

Q: How should security teams govern third-party skills used by AI agents?

A: Security teams should treat third-party skills as untrusted runtime inputs, not harmless extensions.

Q: Why do malicious skills create a bigger risk than ordinary code dependencies?

A: Malicious skills can influence what an agent does after load time, including tool selection, command execution, and data handling.

Q: What do organisations get wrong about agentic AI supply chain risk?

A: They often scan for malware inside files and miss the instruction layer that changes agent behaviour.

Practitioner guidance

  • Gate skill ingestion by provenance and approval Require publisher verification, signed packages, and explicit approval before any agent can load a third-party skill into a developer or enterprise environment.
  • Sandbox agent skills by default Constrain filesystem access, network egress, and shell execution so a malicious SKILL.md cannot reach secrets or pivot into internal systems.
  • Inventory every agent-facing extension source Map where skills, plugins, and context files are pulled from, including GitHub repositories, mirrors, and curated lists used by developers.

What's in the full report

HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:

  • A deeper breakdown of the OpenClaw skill architecture, including how SKILL.md, YAML metadata, and bundled files interact at runtime.
  • Examples of malicious skill behaviours in the wild, including malware download patterns and covert manipulation cases.
  • Mitigation patterns such as repository vetting, runtime analysis, command allow lists, and sandboxing approaches for agent workloads.
  • The article’s discussion of OWASP Agentic Applications and AST10 as mapping tools for agentic supply chain risk.

👉 Read HiddenLayer's analysis of malicious skills in agentic AI →

Malicious skills in agentic AI: what does this change for teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8712
 

Malicious skills are the new untrusted identity boundary for agentic systems. A skill is not just configuration. It is runtime instruction that can shape tool use, command execution, and decision flow inside an agent. That means the trust decision moves from code review to behavioural authorization, which is exactly where traditional software governance is weakest. Practitioners should treat skill ingestion as a control point, not a convenience feature.

A few things that frame the scale:

  • One of the biggest repositories to date is ClawHub, containing over 70k skills as of June 2026, according to LLMjacking.
  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Who is accountable when an agent runs a malicious skill and causes damage?

A: Accountability sits with the organisation that allowed the skill into the agent environment and with the team that defined the agent’s permissions and review process. The issue is governance of the full execution chain, including publisher trust, runtime isolation, and permission scope, not just the individual user who clicked install.

👉 Read our full editorial: Malicious skills make agentic AI the next supply chain risk



   
ReplyQuote
Share: