Thousands Of Malicious Skills Are Hiding In AI Agent Marketplaces, ESET Warns

ESET analyzed roughly 900,000 agentic AI skills and flagged thousands as malicious, exposing a governance gap that security leaders are only beginning to notice.

Published on Jul 13, 2026
1 in 300 AI Agent Skills Is Directly Malicious, ESET Research Finds

Employees are pulling AI “skills” into their daily work to move faster, most security teams have no idea which ones are running.

ESET’s H1 2026 Threat Report puts numbers to the problem: of roughly 900,000 AI agent skills the company analyzed, it flagged around 25,000 as suspicious and more than 3,000 as directly malicious.

Skills extend what an AI agent can do, letting it call external tools and services on a user’s behalf. They are installed with broad trust and little scrutiny, which is precisely the risk.

For Tony Anscombe, ESET’s Chief Security Evangelist, the right mental model is a familiar one. “Using publicly available AI skills is the equivalent of using open-source code that does not benefit from community oversight,” he told Expert Insights.

A decade ago, developers began pulling packages from open registries into production before the ecosystem developed today’s supply-chain defenses, such as dependency scanning and provenance verification. 

AI-based coding assistants are entering a similar phase: attackers can hide potentially dangerous instructions in README files, documentation, and other artifacts that agents read, creating a new kind of software supply-chain risk.

With AI skills, the exposure widens: the people installing them are often ordinary employees rather than developers, and the components run with access to corporate data and credentials.

Anscombe was direct about what can go wrong once a bad skill is added. The risks include “the ability to execute hidden scripts on the local device which can harvest data or credentials,” he said, creating an opening for a malicious incident to slip through and circumvent existing policy.

In other words, a productivity add-on becomes a credential-theft vector, arriving through a channel most security stacks were never built to watch.

Start By Knowing What Is Already Running

The first problem is visibility: most organizations cannot say which skills their staff already use.

Anscombe’s starting point is policy and vetting. Security teams, he said, need to “add the use of AI skills to their AI policy and ensure that all AI skills have been vetted for use within the corporate environment,” paired with real employee education about the danger unvetted external code presents.

Technology has to back the policy. Anscombe recommended a security stack that “detects AI skills, scans for malicious or suspicious code, and blocks it as necessary,” and noted that organizations on enterprise-grade AI tools should set access and usage policies to contain the added risk.

Skills should be treated as software entering the estate, subject to the same inventory, review, and control as any other third-party code, rather than as harmless personal tooling.

“If unchecked code is allowed to run without vetting and guardrails, this is equivalent to handing the organization’s crown jewels to the attacker,” Anscombe told Expert Insights.

As agentic AI adoption accelerates, the gap between what employees are installing and what security teams can see is the risk worth closing first.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.