SkillGate Exposed: The AI Agent Supply Chain Is Already Under Attack — And Your Credentials Are Next + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

The AI agent ecosystem is experiencing its “npm left-pad moment” — but with far more dangerous consequences. As developers rush to install third-party skills, hooks, and instruction files with a single click, they’re blindly importing code that runs with the full privileges of their AI agent. A six-month Mitiga Labs investigation of over 50,000 AI instruction files across 7,000+ public repositories uncovered attacker-controlled `ANTHROPIC_BASE_URL` overrides routing Claude traffic through MITM proxies, more than 1,230 hardcoded API keys and JWT tokens, and a live prompt-exfiltration technique that turns the agent itself into a keylogger for developer prompts. Welcome to modern-day malware, where the target is no longer the human and their laptop but the AI agent operating it.

Learning Objectives:

• Understand the attack surface of AI agent instruction files and how malicious skills, hooks, and configuration files can compromise your entire infrastructure
• Master SkillGate’s detection capabilities across 80+ rules and 6 technique families, including prompt injection, credential exfiltration, and MCP server poisoning
• Implement practical scanning workflows and security controls to protect your AI agent deployments from supply-chain attacks

You Should Know:

1. The Anatomy of an AI Agent Supply-Chain Attack

The attack chain is deceptively simple and devastatingly effective. A developer installs a seemingly legitimate skill from a marketplace with a single click, enabling the agent to read files, call APIs, and open pull requests — often without human oversight. The malicious instructions can be embedded in any of the following file types:

• Skills — Markdown files providing context and specialized instructions for a task, used across multiple AI agents
• Claude Hooks — JSON-defined bash commands fired on specific Claude Code triggers
• Agent brain files — `AGENTS.md` and `CLAUDE.md` giving the agent a project and user overview
• MCP server configs — `settings.json` or `mcp.json` blocks that list, route, and configure MCP servers
• Agentic rules — .cursorrules, aider config YAML, opencode, Continue, and equivalents
• Supply-chain droppers — `package.json` files placed in the agent’s working directory
• Poisoned bytecode — `.pyc` files hidden inside agent-tool directories

The strongest attack chain observed combines an NPM install, injection of an approved project path, the developer launching the AI inside that project, a Claude Hook firing the dropper, and a Skill invoked on a heartbeat cadence — with each Skill chaining to the next to pull fresh droppers or execute the operator’s objective.

Real-World Impact: In one case, a seemingly benign testing skill silently pushed an entire codebase to an attacker-controlled repository without user prompts and with no audit log. In another, a hook configured to run at the start of every agent session executed a hidden script that shipped local credentials to an attacker.

1. How SkillGate Scans and Protects Your AI Agents

SkillGate is a free, community-facing scanner that detects malicious techniques inside skills and other instruction files. Its rule set is fed by internal research, red-team work, public research, and incidents observed in the wild.

Scanning Architecture:

SkillGate employs a three-layer detection approach:

1. Static signature and AST analysis — Reads files with signature and Abstract Syntax Tree (AST) analysis
2. LLM-as-judge step — Uses an LLM to review and contextualize findings
3. Risk scoring — Composite model with combo detection (not single red flags)

Detection Capabilities:

• Applies more than 80 detection rules across 6 technique families:
• Direct execution
• Prompt manipulation
• Tool and MCP poisoning
• Supply chain
• Obfuscation
• Credential exposure

• Findings mapped to both OWASP Agentic AI Top 10 and MITRE ATT&CK and ATLAS frameworks

Output: A risk score out of 100 and a verdict — Clean, Risky, Suspicious, or Dangerous — along with an explanation of the score, findings grouped by severity, and fixes for each detection.

Supported File Types: SKILL.md, hooks, CLAUDE.md, Cursor, Continue, and Cline rules, MCP tool descriptions, settings files, and more.

3. Practical Scanning Workflows: Command-Line and Web Interface

Web Interface (skillgate.mitiga.ai):

• Paste a public GitHub repository URL — the scan pins to a specific commit
• No code is executed during the process
• Individual files scan in seconds; full repository scans complete within minutes
• Browsing public scans is anonymous; submitting a skill or repository requires a free account

NPM Package (skillgate):

 Install the SkillGate CLI
npm install -g skillgate

Scan all agent skill files in your project
skillgate scan

Scan with specific options
skillgate scan [bash]

Automatically discovers files across all supported agent directories

Bulk Scanning:

SkillGate supports bulk-URL submission for repository-wide analysis.

Security Note: The scanning process never executes code — it performs static analysis only. This ensures you can safely audit potentially malicious skills without triggering them.

4. Manual Inspection Techniques: What to Look For

Before running any skill, hook, or instruction file through your AI agent, perform these manual checks:

1. Check for Environment Variable Overrides:

 Search for ANTHROPIC_BASE_URL or similar overrides
grep -r "ANTHROPIC_BASE_URL" .
grep -r "OPENAI_API_BASE" .
grep -r "BASE_URL" .

Attackers have been observed overriding `ANTHROPIC_BASE_URL` to route Claude traffic through third-party MITM proxies.

2. Identify Hardcoded Credentials:

 Search for API keys and tokens
grep -rE "(api[_-]?key|token|secret|password|credential)" .
grep -rE "[A-Za-z0-9]{32,}" .  Generic token pattern

Mitiga Labs found over 1,230 hardcoded API keys and JWT tokens across tens of services.

3. Detect Command Execution Patterns:

 Look for shell command execution
grep -rE "(exec|system|sh |bash |curl |wget |python -c|node -e)" .

4. Identify Data Exfiltration Patterns:

 Look for network calls and data sending
grep -rE "(fetch|axios|requests.get|curl|wget|nc |netcat)" .
grep -rE "(~/.aws/credentials|~/.ssh|/etc/passwd|/etc/shadow)" .

5. Check for Obfuscation:

 Look for base64, hex, or other encoding
grep -rE "(base64|btoa|atob|Buffer.from|hex|decode)" .

1. Windows and Linux Security Hardening for AI Agent Deployments

Linux/macOS:

 Isolate agent working directories
mkdir -p /opt/ai-agent/sandbox
chmod 750 /opt/ai-agent/sandbox
setfacl -m u:agent-user: /opt/ai-agent/sandbox

Use AppArmor or SELinux to restrict agent capabilities
 Example AppArmor profile for Claude Code
sudo aa-genprof /usr/local/bin/claude

Monitor file system changes in agent directories
inotifywait -m -r -e modify,create,delete ~/.claude/

Scan all instruction files before agent loads them
find . -type f ( -1ame ".md" -o -1ame ".json" -o -1ame ".yaml" -o -1ame ".yml" ) -exec skillgate scan {} \;

Windows (PowerShell):

 Restrict agent execution with AppLocker
New-AppLockerPolicy -RuleType Exe -User Everyone -Action Deny -Path "C:\Users\AppData\Local\ai-agent\"

Monitor file changes in agent directories
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "$env:USERPROFILE.claude"
$watcher.Filter = "."
$watcher.EnableRaisingEvents = $true

Scan instruction files
Get-ChildItem -Recurse -Include ".md",".json",".yaml",".yml" | ForEach-Object {
skillgate scan $_.FullName
}

Audit PowerShell execution policies
Get-ExecutionPolicy -List
Set-ExecutionPolicy Restricted -Scope CurrentUser

Environment Variable Protection:

 Linux/macOS - prevent accidental credential exposure
export HISTCONTROL=ignorespace:erasedups
export HISTSIZE=0

Windows - clear PowerShell history
Clear-History
Remove-Item (Get-PSReadlineOption).HistorySavePath

6. The Skillforge-Skillgate Closed Learning Loop

Mitiga Labs built two paired tools that operate as a closed learning loop:

• Skillforge — An internal web application that forges malicious skills, built from public research, red-team work, and adversarial behavior mapped on MITRE ATT&CK and adjacent frameworks
• Skillgate — The community-facing scanner that detects those techniques, with its rule set fed by internal research, Skillforge crafts, public research, and wild incidents

This cycle has been running on a near-daily basis for four to five months, continuously improving detection capabilities. The scanner’s 80+ detection rules are the result of this adversarial training loop — meaning SkillGate doesn’t just detect known threats; it evolves to catch emerging attack techniques.

The Research Scale: The investigation covered more than 50,000 files across 7,000+ public repositories, revealing:
– Attacker-controlled `ANTHROPIC_BASE_URL` overrides routing Claude traffic through MITM proxies
– Permission-bypass overrides shipped as “convenience” defaults
– Over 1,230 hardcoded API keys and JWT tokens
– Live prompt-exfiltration tradecraft caught in the wild

7. Real-World Attack Techniques and Mitigations

Attack: Prompt Injection via Long Skill Files

Researchers demonstrated how to hide malicious instructions in long Agent Skill files and referenced scripts to exfiltrate sensitive data such as internal files or passwords. A malicious skill can be successfully loaded and used, with the “ask again” option allowing the malicious script to execute without further confirmation.

Mitigation:

 Audit skill files for length and complexity
find . -1ame ".md" -exec wc -l {} \; | sort -1r | head -20

Flag skills exceeding reasonable length (e.g., >500 lines)
find . -1ame ".md" -exec sh -c 'if [ $(wc -l < "$1") -gt 500 ]; then echo "Suspicious length: $1"; fi' _ {} \;

Attack: Credential Exfiltration Through Hooks

A hook configured to run at the start of every agent session executed a hidden script that shipped local credentials to an attacker.

Mitigation:

 Audit hook files for unauthorized commands
find . -1ame ".json" -path "/hooks/" -exec grep -l "exec|system|sh|bash" {} \;

Use a hook allowlist
mkdir -p ~/.claude/allowed-hooks
 Only place verified hooks in this directory
 Configure Claude to only read hooks from allowed-hooks

Attack: Poisoned Skills Spreading Through Marketplaces

Poisoned skills spread through blogs and public marketplaces much like poisoned packages spread through open-source registries.

Mitigation:

• Always scan third-party skills with SkillGate before installation
• Maintain an internal allowlist of verified skills
• Implement a “skill quarantine” process where new skills are reviewed before team-wide deployment

What Undercode Say:

• The AI supply chain is the new software supply chain — and it’s even more dangerous because agents execute instructions with minimal validation and full trust. The industry spent years securing npm, PyPI, and other package registries; we’re now repeating the same mistakes with AI skills, but at a much faster pace.

• The attack surface is massive and growing. With skills, hooks, MCP configs, CLAUDE.md, AGENTS.md, .cursorrules, and more, attackers have multiple vectors to compromise your AI agent. The list keeps growing, and most organizations aren’t even aware these files exist, let alone that they’re executing them with full privileges.

• SkillGate represents a critical first line of defense, but it’s not a silver bullet. The free scanner from Mitiga Labs provides transparency into what’s actually in those files. However, organizations must combine scanning with runtime monitoring, strict access controls, and a culture of “trust but verify” when it comes to AI agent configurations.

• The threat is not theoretical. Over 1,230 hardcoded API keys, live prompt-exfiltration techniques, and attacker-controlled MITM proxy overrides have already been observed in the wild. This is happening right now, and most organizations have no visibility into it.

• “People install skills the way we used to double-click email attachments” — quickly and without looking inside. This human factor, combined with the technical complexity of AI agents, creates a perfect storm for supply-chain compromises. The industry needs both technical controls (like SkillGate) and cultural change to address this emerging threat.

Prediction:

• -1 AI agent supply-chain attacks will become the primary vector for enterprise breaches within 18-24 months. The combination of blind trust in third-party skills, the complexity of AI agent configurations, and the high-value credentials these agents access makes this an irresistible target for threat actors. Expect to see ransomware gangs and nation-state actors pivot aggressively to this attack surface.

• -1 The “skill marketplace” model is fundamentally insecure and will face the same reckoning as the npm `left-pad` incident, but on a catastrophic scale. A single widely-used malicious skill could compromise thousands of organizations simultaneously, exfiltrating cloud credentials, source code, and sensitive prompts en masse.

• +1 SkillGate and similar tools will become essential infrastructure for any organization deploying AI agents. Just as antivirus and SAST tools are non-1egotiable today, AI agent scanners will be mandatory within the next year. The fact that Mitiga Labs made SkillGate free is a significant public good that will accelerate security maturity in this space.

• -1 Regulatory scrutiny will intensify. With over 1,230 hardcoded API keys already discovered across public repositories, regulators will increasingly hold organizations accountable for AI agent security. Expect GDPR and CCPA implications when agent-exfiltrated data includes PII, and potential SEC enforcement when material non-public information is exposed through compromised skills.

• +1 The Skillforge-Skillgate closed learning loop represents a new paradigm in AI security. By continuously generating adversarial examples and updating detection rules, this approach can keep pace with evolving attack techniques. This “red-team-first” methodology should become the standard for AI security tools going forward.

SkillGate is available now at skillgate.mitiga.ai — free for all, and it will stay free. Go scan something before your agent does.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Ofermaor Skills – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky