AI agent skills and runtime scanning gaps: are your controls enough?

TL;DR: AI agent skill marketplaces now carry the same supply chain risk pattern as software packages, but static code checks and LLM-based review both miss malicious behavior that only appears at runtime, according to Permiso Security. Runtime detonation is becoming the deciding control because executable trust cannot be inferred from code alone.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

• One industry audit found over 1,100 malicious skills on a single marketplace.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams validate AI agent skills before installation?

A: They should execute each skill in a controlled sandbox with real agent context and inspect actual behaviour, not just source code.

Q: Why do AI agent skills create more risk than ordinary software packages?

A: AI agent skills inherit the permissions of the agent that runs them, so a malicious skill can act inside an existing trust boundary without needing to steal credentials first.

Q: What breaks when AI skills are judged only by static code review?

A: Static review misses behaviours that only appear at runtime, including hidden exfiltration, environment variable access, and unauthorized network calls.

Practitioner guidance

• Detonate skills before allowing production use Run every downloadable skill in an instrumented sandbox with a live agent context, and require a behavioural verdict before any production installation or registry approval.
• Separate skill approval from inherited agent privilege Review which IAM roles, API tokens, and service connections an agent already holds, then block skills from reaching those permissions until their behaviour has been verified.
• Log runtime evidence at the LLM and OS layers Capture tool calls, file access attempts, DNS lookups, outbound requests, and credential access as part of the approval record so reviewers can validate what happened, not what was predicted.

What's in the full announcement

Permiso Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The four-step submit, detonate, analyze, and decide workflow for validating AI agent skills.
• The full detection stack, including Sigma, YARA, Nova, and Snort, plus custom rules.
• How SSL interception inside the sandbox exposes encrypted exfiltration attempts.
• The cross-framework support details for OpenClaw, Cursor, Codex, and similar skill packages.

👉 Read Permiso Security's analysis of runtime sandboxing for AI agent skills →

AI agent skills and runtime scanning gaps: are your controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →