You’ve heard of supply chain attacks. SolarWinds. Log4j. Codecov. Attackers compromising trusted software that thousands of businesses rely on, then riding that trust straight into corporate networks.

Now there’s a new variant, and most businesses don’t even know it exists yet: compromised skills in AI agent marketplaces.

What’s an AI Skill Marketplace?

If you’re not familiar with AI agent platforms, here’s the quick version: they’re systems that let businesses deploy autonomous AI assistants that can perform tasks across various applications - answering support tickets, processing data, managing workflows, that sort of thing.

These platforms typically have marketplaces where developers can publish “skills” - essentially plugins that give AI agents new capabilities. Think of it like an app store, but for AI functionality.

The largest of these marketplaces, ClawHub (for the OpenClaw platform), currently lists over 3,984 available skills. Everything from calendar management to database queries to customer service automation.

Sounds convenient, right? Download a skill, plug it into your AI agent, and instantly add new functionality to your business operations.

That’s exactly what attackers are counting on.

The Attack Pattern

Here’s how it works in practice.

An attacker creates what looks like a legitimate, useful skill. Maybe it’s a calendar integration, or a tool for extracting data from PDFs, or something that automates social media posting. The skill description is professional. There might be fake reviews or GitHub stars (both can be bought cheap). The code looks reasonable at first glance.

But buried in there - sometimes obfuscated, sometimes just hidden in a dependency three levels deep - is malicious functionality.

Maybe it exfiltrates data to an external server. Maybe it creates a backdoor for later access. Maybe it injects malicious prompts to manipulate the AI agent’s behaviour. The possibilities are extensive, and detection is difficult because many businesses don’t carefully audit the skills they install.

The skill gets published to the marketplace. Businesses download it. The malicious code executes in their environment, with all the access permissions the AI agent has. And because the AI agent typically has broad access (that’s the point of deploying it), the attacker now has broad access too.

Real-World Evidence

This isn’t theoretical. Security researchers recently audited ClawHub and found that 36.82% of available skills contained security vulnerabilities. Not all of these were intentionally malicious, but they could all be exploited by someone who knew what they were doing.

More concerning: they traced 341 confirmed malicious skills back to a single coordinated campaign. One group, systematically building and distributing compromised AI skills across the marketplace.

Think about that for a moment. A coordinated effort to poison the supply chain at scale. Not targeting one business, but potentially thousands of businesses who might download and deploy these skills.

This is supply chain compromise adapted for the AI era. And it’s working.

Why This Is Different from Traditional Supply Chain Attacks

Traditional supply chain attacks usually target widely-used libraries or infrastructure components. Log4j was devastating precisely because it was everywhere. Attackers could compromise one component and affect millions of systems.

AI skill marketplaces have a different dynamic:

Lower barrier to entry. Publishing a malicious npm package or Python library requires some sophistication. Publishing a malicious AI skill? Much easier. The code is often simpler, the review processes (if they exist at all) are less mature, and the ecosystem is young enough that security best practices haven’t been established yet.

Higher trust exploitation. Businesses deploying AI agents are often in “innovation mode” - they’re excited about the technology, moving quickly, and not necessarily applying the same security scrutiny they’d apply to traditional software. Attackers know this and exploit it.

Broader permissions. Traditional software usually runs with limited permissions. AI agents often run with extensive access because they need to interact with multiple systems and data sources. A compromised skill inherits all those permissions.

Harder to detect. When an AI agent does something suspicious, is it because the AI made an error, the skill is buggy, or someone’s attacking you? The line between legitimate behaviour, mistakes, and malicious activity is blurrier with AI than with traditional software.

The Coordinated Campaign Model

What makes the current threat particularly sophisticated is the coordinated campaign approach.

Instead of one attacker building one malicious skill and hoping someone downloads it, organized groups are building entire portfolios of skills that look legitimate. They’re creating fake developer personas with realistic GitHub profiles. They’re cross-promoting their skills to build apparent credibility. They’re even responding to user questions and providing support to maintain the illusion of legitimacy.

This is social engineering meets supply chain compromise. And it scales frighteningly well.

The MITRE ATT&CK framework (the industry standard for categorizing cyber attacks) has recognized supply chain compromise as a critical tactic for years. But most of the documented techniques focus on traditional software. AI skill marketplaces represent a new variant that doesn’t quite fit existing categories.

The Australian Cyber Security Centre is paying attention. While they haven’t yet published specific guidance on AI marketplace threats, their secure software development guidance emphasizes the importance of vetting third-party components - and AI skills definitely fall into that category.

What Businesses Should Be Doing

If your business is using or considering AI agents, here’s what you need to do right now:

1. Treat AI Skills Like Any Other Third-Party Code

Would you download a random business application from the internet and give it access to your email, file storage, and customer database without reviewing it? Of course not. Apply the same standard to AI skills.

Every skill should be reviewed before deployment. If you don’t have the technical expertise to review code, hire someone who does or don’t deploy the skill. It’s that simple.

2. Implement an Approval Process

No one should be able to install AI skills into production without approval from whoever’s responsible for security in your organisation. This sounds obvious, but many businesses treat AI platforms like personal productivity tools rather than enterprise software.

Set up a formal process: skills must be requested, reviewed, and approved before deployment. Document which skills are approved and why. Maintain an inventory of what’s actually running in your environment.

3. Audit Skill Permissions

Just because a skill requests broad access doesn’t mean it needs broad access. A calendar management skill shouldn’t need access to your customer database. A document processing skill shouldn’t need network access to external servers.

Review what permissions each skill requires and question anything that seems excessive. If a skill vendor can’t justify their permission requests, find a different skill.

4. Monitor AI Agent Behaviour

Deploy logging and monitoring for your AI agents. Track what skills are being used, what actions they’re taking, what data they’re accessing, and where they’re sending information.

Set up alerts for suspicious patterns: unusual data transfers, access to sensitive resources outside normal business hours, connections to unexpected external IP addresses, or sudden changes in behaviour.

5. Plan for Compromise

Assume at some point a malicious skill will make it into your environment despite your precautions. What’s your response plan?

Can you quickly disable a skill if you suspect it’s compromised? Can you audit what actions it took while it was running? Do you have backups that aren’t accessible to the AI agent? Can you isolate affected systems?

Having an incident response plan specifically for AI agent compromise isn’t paranoia - it’s basic risk management.

The Vendor Responsibility Question

There’s a legitimate debate happening in the security community about where responsibility lies here.

Should marketplace operators be doing more security vetting before accepting skills? Absolutely. But marketplace vetting alone won’t solve this - determined attackers can bypass most automated checks, and manual review doesn’t scale.

Should AI platform vendors be implementing better sandboxing and permission controls? Yes. But sandboxing has limits, especially for AI agents that need to interact with multiple systems.

Should skills developers be following better security practices? Obviously. But the financial incentives often push toward “ship it quickly” rather than “make it secure.”

The reality is that businesses deploying AI agents can’t wait for the ecosystem to mature. You need to protect yourself now, with the tools and practices available today.

Looking Forward

AI skill marketplaces are here to stay. The convenience they offer is too valuable for businesses to ignore. But like any powerful tool, they come with risks that need to be managed.

The good news is that we’ve dealt with supply chain security challenges before. We know how to vet third-party code. We know how to implement least-privilege access. We know how to monitor for suspicious behaviour.

The challenge is applying those established practices to a new context where the attack surface looks different and the traditional indicators of compromise might not apply.

For Australian SMBs, this means being thoughtful about AI adoption. Don’t let competitors rushing to deploy AI pressure you into deploying insecurely. The business that deploys AI agents safely will outlast the business that deploys them quickly but carelessly.

And if you’re already running AI agents in production, now’s the time to audit what skills you’ve installed and where they came from. Because if 36.82% of available skills have security issues, statistics suggest you’re probably running at least one compromised or vulnerable skill right now.

The supply chain attack vector has evolved. Your defences need to evolve with it.