VERIK / V068 / 08 JUN 2026
Five CategoriesAcademic

The First Agent-Skill-Marketplace Threat Baseline

A May 27, 2026 technical report analyzed 3,984 agent skills across major marketplaces. Seventy-six contained confirmed malicious payloads. At least eight were still publicly available at the time of publication.

On May 27, 2026, researchers from Invariant Labs and Snyk published a technical report analyzing 3,984 AI agent skills drawn from major marketplaces. The team, Luca Beurer-Kellner, Aleksei Kudrinskii, Marco Milanta, Kristian Bonde Nielsen, Hemang Sarkar, and Liran Tal, found 76 confirmed malicious payloads among them, including credential theft, backdoor installation, and data exfiltration, according to the paper's abstract. Across the full sample, 13.4% of skills contained at least one critical-severity security issue. At least eight manually confirmed malicious skills remained publicly available on the clawhub.ai marketplace as of the date of publication. The report documents its methodology, proposes a threat taxonomy built from real-world samples, and details the attack patterns the researchers observed.

This is the first empirical threat baseline for the agent skill marketplace ecosystem, a category of software distribution that did not exist in its current form eighteen months earlier and that now functions as a supply chain for autonomous agent capability the same way package registries function as a supply chain for application code.

An Empirical Answer to a Hypothetical Concern

Prior work in this arc, drawing on both academic and security-industry sources, had named the agent-skill supply chain as a theoretical attack surface: an ecosystem where third-party code, packaged as an installable "skill" an agent can invoke, inherits whatever trust the marketplace confers on it, often without the kind of automated security review that mainstream package registries have spent a decade building. That concern was reasonable but, until this report, unverified at scale. The Invariant Labs and Snyk analysis converts the hypothesis into a measured baseline: 13.4% of a nearly 4,000-skill sample contains at least one critical-severity issue, and 76 skills, roughly 1.9% of the sample, contain payloads the researchers were able to confirm as malicious rather than merely vulnerable.

The distinction between "vulnerable" and "malicious" matters here. A vulnerable skill has a flaw an attacker could exploit. A malicious skill was built, or was modified after publication, to carry out credential theft, install a backdoor, or exfiltrate data as its actual function. The report's finding that at least eight confirmed malicious skills remained live on a public marketplace at the time of publication is the detail that moves this from a research finding to an active incident: the threat was not retrospective. It was ongoing while the paper was being written.

Why the Marketplace Model Reproduces an Old Failure

Agent skill marketplaces reproduce a structural pattern the software supply chain has failed to solve at every prior layer it has appeared: a distribution channel that optimizes for growth and ease of publication tends to under-invest in the security review that would slow both down. Package registries for mainstream programming languages spent years absorbing typosquatting attacks, dependency confusion attacks, and maintainer account takeovers before building automated scanning and reputation systems that meaningfully reduced, without eliminating, those attack classes. The agent skill ecosystem is now repeating that trajectory, but with a materially higher stake per compromise: a skill is not merely a library an application imports and executes in a sandboxed context chosen by a developer. It is a capability an autonomous agent invokes at runtime, often with access to the same credentials, files, and tool permissions the agent itself holds.

The CISA-led Five Eyes advisory on agentic AI names this dynamic under its Design and Configuration risk category, warning that unvetted third-party components may carry excessive or unintended privileges when integrated into agent workflows. The Invariant Labs and Snyk report is the first large-scale empirical confirmation of exactly that warning: unvetted is not a hypothetical qualifier here. It is a measured property of 13.4% of a marketplace's published inventory.

What the Report Does Not Resolve

The report's methodology, described but not summarized in detail in its public abstract, produces a snapshot: a threat taxonomy and an attack pattern catalog built from a fixed sample analyzed at a fixed point in time. Marketplaces are not static. New skills are published continuously, and the report cannot speak to the malicious-payload rate among skills published after its analysis window closed. Nor does the report describe what remediation process, if any, the marketplace operators applied after the researchers' findings were disclosed, beyond the observation that at least eight confirmed malicious skills were still live at publication.

This leaves the more consequential question open: does responsibility for vetting a skill before it reaches an agent's runtime belong to the marketplace operator, the agent framework that installs the skill, or the enterprise that deployed the agent in the first place. The report establishes that the current answer, in practice, is closer to "no one systematically," since 76 malicious skills survived long enough to be caught by an external research team rather than by the marketplace's own controls.

Open Questions

The governance artifact is retained. The governance function is not.