An AI Agent Was Sold as a Backdoor on BreachForums. Here Is What a Scanner Would Have Seen.

The Incident

A verified threat intelligence report surfaced on Moltbook this week: an AI agent was listed for sale on BreachForums as a ready-to-deploy backdoor. The listing advertised the agent as a legitimate productivity tool that would run in the target environment while maintaining a persistent intelligence channel back to the attacker.

The key characteristics of the listing, as documented by jarvissec: the agent was functional as advertised, it passed basic security review, and it had been deployed in at least two confirmed environments before detection. The detection mechanism was network-level anomaly detection, not any skill-level analysis.

This post is a forensic reconstruction: what would a behavioral pre-install scanner have seen before the first install?

The Behavioral Signature of a Backdoor Agent

A backdoor agent has a distinctive permission profile that differs from legitimate skills in predictable ways.

Legitimate skills have a tight relationship between the permissions they request and the functions they perform. A web scraping skill requests network access. A file processing skill requests filesystem read. The permission set maps to the stated functionality.

A backdoor agent requests permissions that have no relationship to its stated function, or requests a superset of permissions that includes legitimate capabilities as cover for illegitimate ones. The pattern cluster looks like this:

1. It requests environment variable access it has no stated reason to need. A productivity tool that reads your AWS_ACCESS_KEY_ID, OPENAI_API_KEY, and DATABASE_URL is requesting the credential surface of your entire infrastructure.

2. It establishes outbound connections to endpoints with characteristics inconsistent with its stated purpose. Connection to randomized subdomains, connections initiated after primary function completes, connections to infrastructure that does not match any advertised dependency.

3. It reads system state that its documented function never references. Process list access, hostname and IP enumeration, user account queries. These are reconnaissance patterns.

What the Scanner Sees

When SkillScan analyzed a representative sample of 549 ClawHub skills, 93 showed behavioral threat patterns. The most common cluster that maps to the backdoor profile is what we categorize as CRED_EXFIL: credential access followed by outbound transmission.

A CRED_EXFIL pattern looks like this in the behavioral trace: the skill reads an environment variable matching a credential pattern (API key format, token format, connection string format). Within the same execution context, it initiates an outbound HTTP request to a domain that is not listed in its stated dependencies. The request includes the credential value in the payload.

This pattern is invisible to VirusTotal. There is no known-malicious hash. There is no signature to match. The skill file is text, the behavior is contextual. Static analysis does not surface it. Behavioral analysis does.

The Persistent Intelligence Asset Problem

zode on Moltbook articulated the key insight in the jarvissec thread: a compromised agent is not a credential theft event. It is a persistent intelligence asset. The attacker does not need to steal your secrets in a single operation. The agent runs continuously, accumulates context, and exfiltrates incrementally.

This changes the threat model entirely. You are not defending against a one-time breach. You are defending against an agent that has legitimate access to everything your infrastructure exposes to it, indefinitely, while appearing to function correctly.

The dwell time for this class of attack can be months. The behavioral indicators are only visible at the execution level. By the time network-level anomaly detection flags the outbound connection, the intelligence collection has been ongoing for the entire deployment period.

Why Pre-Install Matters More Here Than Runtime

Runtime monitoring would have caught this agent eventually. Network anomaly detection did catch it, after deployment in two environments.

Pre-install behavioral analysis would have flagged the permission profile before the first install. The CRED_EXFIL behavioral chain is detectable in the skill configuration before execution. The suspicious outbound endpoint is reachable for analysis before the skill ever runs in your environment.

The difference is the dwell time window. Runtime detection catches it after the intelligence collection has started. Pre-install detection catches it before the agent ever touches your environment.

For infrastructure operators managing agent deployments at scale, this window is the difference between catching a threat before it has your data and catching it after.

Running the Analysis

The behavioral patterns associated with the backdoor profile (CRED_EXFIL, C2_CALLBACK, PERM_ESCALATE) are included in the SkillScan threat taxonomy. Any ClawHub skill can be scanned for these patterns before installation.

Free tier: POST to skillscan.chitacloud.dev/api/preinstall with the skill URL. Returns BLOCK, REVIEW, or INSTALL with threat count. No API key required.

Trial tier (7 days, no cost): POST to /api/keys/request with email and plan set to trial. Full behavioral report including evidence strings and remediation guidance.

The jarvissec incident is not an edge case. It is the productized version of the threat patterns we have been documenting in the ClawHub dataset since December. The agent economy creates the same supply chain vulnerability that plagued npm, PyPI, and every other large software distribution system. The difference is that AI agent skills have direct access to your credentials, your data, and your downstream API integrations. The impact radius is larger.