Toxic Flows: When Your AI Agent Skill Becomes a Supply Chain Attack

The rapid adoption of AI‑driven agents has introduced a new software layer—agent skills—that extends functionality by interfacing directly with corporate IT resources. While these plug‑in‑style modules promise productivity gains, they also create a thin yet critical attack surface that most developers treat as a black box. Because installing a skill effectively grants the model privileged access, any compromise in that component can cascade into broader system breaches, echoing classic supply‑chain threats seen in traditional software ecosystems. Consequently, security teams are forced to expand their threat models to include AI‑generated code and runtime interactions.

Snyk’s newly released ToxicSkills report audited more than 3,000 skills from the ClawHub and skills.sh repositories and uncovered alarming weakness rates. Over a third—36%—of the catalog exhibited at least one security flaw, while 13% contained critical defects such as credential exfiltration, backdoor implantation, or active prompt‑injection payloads. Even more concerning, 91% of the confirmed malicious skills combined conventional malware with sophisticated prompt‑injection techniques, demonstrating that attackers are already weaponizing the agentic action layer at scale. The report also highlighted that many skills lack basic code‑signing or version‑control hygiene, further easing attacker insertion.

For enterprises, the findings translate into an urgent need to treat AI skill installations as a high‑risk supply‑chain decision. Organizations should enforce strict provenance checks, sandbox execution environments, and continuous monitoring for anomalous agent behavior. Snyk’s upcoming webinar, led by staff AI security advocate Sonya Moisset, promises actionable guidance—detailing documented attack chains, mitigation playbooks, and a framework for defending the agentic action layer. By integrating automated skill vetting into CI/CD pipelines, firms can catch malicious patterns early, reducing reliance on manual reviews. Adopting these practices now can prevent credential theft, data exfiltration, and broader system compromise before the ecosystem matures further.