AI Coding Agent Skills: The New Supply Chain Risk (2026)

Source: OX Security, April 2026; arXiv 2601.17548, January 2026

The AI coding agent of 2026 is not really a chat tool any more. It is a daemon that reads instructions from your filesystem, holds your developer credentials, calls your APIs, and edits your code. The instructions can come from many places: a SKILL.md inside a project, a .cursorrules file, a Codex AGENTS.md, an MCP server you installed last week, an OpenClaw skill you grabbed from ClawHub. Each of those files is trusted by default and almost never reviewed.

That is the gap. We have spent two decades hardening the npm and pip pipelines because the industry finally accepted that running arbitrary author-controlled code is dangerous. Then we built coding agents that consume an entirely new class of author-controlled code, called it a "skill" or a "rule" or a "tool description", and skipped the same hardening.

What is already in the wild

The numbers from independent vendor research in early 2026 are not subtle.

• 341 of 2,857 OpenClaw skills on ClawHub were malicious in February 2026, roughly 11.9%. 335 of them traced back to a single coordinated campaign that Koi Security named ClawHavoc. By a follow-up audit two weeks later, the count had climbed to 824 malicious skills out of 10,700+ as the marketplace grew. The macOS payload is Atomic Stealer (AMOS) delivered through a fake "prerequisites" step in the skill's instructions; the Windows payload is a VMProtect-packed infostealer. (Note: ClawHub is the marketplace for OpenClaw, the open-source agent, not for Anthropic's Claude. The mechanism transfers; the marketplace does not.) Koi Security: ClawHavoc disclosure (Oren Yomtov, Feb 1, 2026, updated Feb 16)
• Anthropic's own Git MCP server had three CVEs published on January 20, 2026, but only after the underlying flaws were already fixed. Cyata researcher Yarden Porat reported them in June 2025; Anthropic shipped the patch in December 2025 (mcp-server-git 2025.12.18); the CVEs went public a month later. The chain is CVE-2025-68143 (unrestricted git_init, severe enough that Anthropic removed the tool entirely), CVE-2025-68144 (argument injection in git_diff and git_checkout), and CVE-2025-68145 (path validation bypass for the --repository flag). The vendor with the strongest security posture in the ecosystem still shipped server code that was weaponizable through prompt injection. The Hacker News: Three flaws in Anthropic MCP Git server · The Register coverage
• OX Security's April 2026 research found a systemic command-injection design flaw in the MCP STDIO transport that affects ~7,000 publicly accessible servers and software packages totaling 150 million-plus downloads. In a single audit, OX Security successfully poisoned 9 of 11 public MCP registries and chained the flaw into 10+ High/Critical CVEs across Cursor, VS Code, Windsurf, Claude Code, and Gemini CLI. Windsurf (CVE-2026-30615) is exploitable with zero user interaction. OX Security: The Mother of All AI Supply Chains (April 15, 2026)

The techniques you may not have heard of yet

A handful of disclosed techniques from 2026 illustrate how thin the trust boundary actually is.

Rules File Backdoor

Hidden Unicode characters embedded in Cursor and Copilot rule files inject malicious instructions that the developer literally cannot see in their editor. The file looks clean. The agent reads the invisible payload as gospel. The technique was disclosed by Pillar Security and works against the configuration files of every coding agent that reads structured guidance from the repository. Pillar Security: Rules File Backdoor

CVE-2026-26268: Cursor sandbox escape via .git config

A malicious agent (or prompt-injected one) writes to improperly protected .git settings, including Git hooks. The next routine Git operation triggers those hooks outside the sandbox, executing arbitrary code on the developer's machine. NVD rated it 9.9 CRITICAL; Cursor (the CNA) issued an 8.0 HIGH. Patched in Cursor 2.5. NVD: CVE-2026-26268 (published Feb 13, 2026)

Claude Code config-file RCE

Check Point Research demonstrated remote code execution and API credential theft achieved purely through values in a repository's configuration files, abusing Hooks, MCP integrations, and environment-variable handling. The takeaway is that "config" is executable in this ecosystem, and a hostile project file is enough. Check Point Research disclosure

Tool-description poisoning

The most subtle of the family: the malicious instruction lives in the description metadata of an MCP tool, not in any code path. The agent reads the description into its context to decide which tool to call. The tool never has to be invoked for the injection to land. OX Security documented this attack family as part of its April 2026 MCP audit. OX Security: The Mother of All AI Supply Chains

Why traditional review misses it

Three properties of an AI agent skill make conventional code review the wrong tool.

1. The dangerous content is prose, not code. A SKILL.md or .cursorrules file looks like documentation. Reviewers skim documentation. They read code. The agent does the opposite.
2. The execution context is opaque. A skill says "copy ./docs/contributing.md". You see the literal string. The agent resolves symlinks, expands variables, follows hooks, and ends up doing something else. The SymJack disclosure earlier this month was the textbook version of this.
3. The blast radius hides behind a single token. Most agents run with the developer's full identity: SSH keys, cloud credentials, npm tokens, GitHub PATs. Any prompt that survives review reaches all of them.

A January 2026 systematic analysis by Maloyan and Namiot at arXiv tested every major coding agent and found that attack success rates against state-of-the-art defenses exceed 85% when adaptive attack strategies are employed. That is from the paper's own abstract. arXiv 2601.17548: Prompt Injection Attacks on Agentic Coding Assistants

The pipeline problem

The honest framing is that AI agent skills are now a new software supply chain, with most of the problems npm and PyPI had ten years ago and almost none of the controls they have now.

• No equivalent of npm audit.
• No cryptographic signing or provenance attestations. The official MCP Registry (donated to the Linux Foundation in December 2025) uses namespace-based ownership but does not verify code provenance or sign artifacts.
• Several competing marketplaces (ClawHub for OpenClaw, the MCP Registry, vendor-internal stores) with different and largely informal review processes.
• A culture among developers of grabbing a skill from a Reddit thread and dropping it into a project because it is "just a markdown file".

That last point is the one to internalize. The friction to install a malicious skill is lower than for a malicious npm package, while the access granted by a skill is often higher.

What to do this quarter

There is no clever silver bullet here. There is the boring work of treating agent skills as the executable trust surface they actually are.

• Inventory every skill, rule file, and MCP server your team uses. Treat each one as a dependency, because the agent is going to.
• Read what they actually contain. SKILL.md, AGENTS.md, .cursorrules, .mcp.json, .claude/settings.json. Look for permissions.allow, command, args, and any instruction that resolves a path or shells out.
• Run skills through a scanner before you trust them. We have spent the last several months analyzing thousands of agent skills pulled from public sources at skillsec.io, and the number of malicious or unsafe-by-default ones is much larger than the public disclosures suggest. The marketplaces are an iceberg.
• Pin agent versions and read the release notes. Cursor 2.5 fixed CVE-2026-26268. Anthropic's mcp-server-git 2025.12.18 fixed the Cyata chain. The fixes only protect you if you upgrade.
• Tighten CI. Short-lived credentials, isolated runners, no production secrets within reach of an autonomous agent.

Update: May 2026

Three things have shifted in the weeks since this article first ran, and they all sharpen the picture rather than soften it.

• The ClawHavoc count has more than doubled. Koi Security's follow-up audit on February 16, 2026 found 824 malicious skills out of 10,700+ on ClawHub, up from 341 of 2,857 two weeks earlier. Koi has released a remediation skill called Clawdex that OpenClaw bots can install to scan against a known-malicious database.
• OX Security's April 15 disclosure made the MCP STDIO flaw systemic. What looked like isolated bugs in individual servers turned out to be an architectural design decision in the official MCP SDKs across Python, TypeScript, Java, and Rust. 10 CVEs were filed in a single coordinated disclosure; the headline metric is 9 of 11 public MCP registries were successfully poisoned by the researchers.
• The MCP Registry still has no cryptographic signing. Namespace-based ownership is the only provenance check the official registry performs as of writing. There is no npm audit equivalent, no signed attestations, no required SBOM.

The bigger picture

The agentic ecosystem is moving at a pace that is structurally faster than security research can keep up with. The vulnerabilities being disclosed today are not subtle bugs, they are missing controls. Until the pipeline has signing, audit, and a culture of review, every unreviewed skill in your repo is an unaudited executable running under your developer identity.

The good news is that the controls themselves are not hard. They are unglamorous, and they have not been built yet for this category. Treat the agent skill the way you would treat a fresh npm package from an author you have never heard of, and most of the risk goes away.

---

Primary sources: Koi Security ClawHavoc disclosure, OX Security: The Mother of All AI Supply Chains, The Hacker News on Cyata's Git MCP findings, NVD: CVE-2026-26268, Pillar Security: Rules File Backdoor, Check Point Research: Claude Code flaws, arXiv 2601.17548.