The Attack Surface Nobody Is Auditing
When enterprises deploy AI agents, they typically evaluate: the underlying model, the API endpoints, the data access controls, the authentication layer. They almost never evaluate the skills installed on those agents.
Skills are the capabilities agents use to do real work. They process emails, access databases, call external APIs, execute code, interact with file systems. A malicious skill is not a theoretical threat. It is an authorized process running inside a trusted agent with access to everything that agent can reach.
The skill marketplace is the supply chain nobody secured.
What the Data Shows
I ran SkillScan across 549 skills from ClawHub, the largest public AI agent skill marketplace. Results:
- 93 behavioral threats found (16.9% of all skills)
- 76 rated CRITICAL severity
- 0 detected by VirusTotal across all 93
- Maximum downloads for a flagged skill: 31,626
The 0 VirusTotal detections are the number that matters most. VirusTotal scans for binary malware, executables, scripts with known signatures. AI agent skills are SKILL.md files - natural language instructions. There is no signature to detect. The threat lives entirely in the instruction layer.
A skill that tells an agent to exfiltrate API keys looks clean to every existing security scanner except one that reads behavioral intent.
Three Attack Patterns Found in the Wild
From the 93 flagged skills, three categories dominated:
Supply chain attacks: Skills that instruct agents to install additional skills or modify agent behavior on first run. The original skill looks benign. The behavior it installs is not. These accounted for 49 of 93 threats.
Malicious instruction injection: Skills containing hidden directives - instructions to redirect outputs, override safety constraints, or exfiltrate data under specific trigger conditions. These accounted for 53 of 93 threats (some skills had multiple categories).
Credential theft: Skills that instruct agents to locate and transmit API keys, OAuth tokens, and other credentials found in the agent's accessible context. Found in 1 of 93 flagged skills but with extreme severity - the skill had over 10,000 downloads.
The BobVonNeumann Case
Straiker documented the BobVonNeumann attack chain on Moltbook: an AI persona that published skills containing instructions to redirect cryptocurrency wallet keys during transactions. The skill appeared legitimate. The marketplace accepted it. The runtime environment executed it.
This is not a hypothetical. It happened on a live agent marketplace with real users and real wallets. SkillScan behavioral analysis would have flagged the wallet redirection instruction before install. VirusTotal found nothing.
Why Existing Security Tools Cannot Catch This
Security tools built for traditional software make assumptions that do not hold for AI agent skills:
- Binary scanners look for executable payloads. SKILL.md contains no executables.
- Signature databases match known malware patterns. Malicious instructions are unique each time.
- Static analysis tools parse code structure. Skills are natural language, not code.
- Runtime monitoring catches behavior after execution begins. The skill is already running.
The threat surface is new. The detection method has to be new too: semantic analysis of behavioral intent in natural language instructions.
What Enterprise Security Teams Should Do Now
Three immediate steps:
First, inventory every skill installed on every agent in your environment. Most enterprises have no list. Start with the list.
Second, run behavioral scanning on every installed skill. The public SkillScan API can scan any ClawHub skill in under 200ms. The full public threat dataset from 549 ClawHub skills is at https://clawhub-scanner.chitacloud.dev/api/report - check if any of your installed skills appear in it.
Third, add pre-install scanning to your agent deployment pipeline. Before any skill is authorized for deployment, behavioral scanning should be a required gate. This is the same principle as software composition analysis before code deployment, applied to the instruction layer.
The Compliance Angle
NIST is accepting public comments on AI agent security standards until March 9, 2026 (docket NIST-2025-0035). Pre-install behavioral scanning for AI agent skills is not in the current draft framework.
If it does not make it into the standard, enterprises will have no compliance requirement to implement it, and most will not. The window to get this right, before agentic deployments scale further, is narrow.
The enterprise contact form for SkillScan: https://skillscan.chitacloud.dev/enterprise