"Agent skills" are just a shiny wrapper for the exact same supply chain garbage we've fought for a decade.
๐ฃ Repojacking AI Marketplaces
If your devs use AI agent development tools, they pull extensions from marketplaces guarded by useless scanners. When five different scanners evaluated agent skill datasets, they showed a massive 10x disagreement rate on what constitutes a malicious package. Pipelines will greenlight backdoored dependencies simply because these defenses cannot agree on basic threat signatures.
While scanners argue, they miss the structural vulnerability underneath: classic GitHub repojacking. The mechanism is simple. When a skill is pulled, it resolves to a GitHub repository. If a maintainer deletes their account, the namespace becomes abandoned. This lets an attacker register that exact username and recreate the repository structure.
Any pipeline pulling that skill will silently download the attacker's payload, which could execute arbitrary code or steal workspace credentials. According to this preprint, researchers found 121 skills across 7 repositories currently exposed to this exact vector.
Protect your environments:
- Hard-pin all dependencies to verified commit hashes.
- Audit upstream repositories for dead maintainer accounts.