There’s a pattern I’ve been noticing across enterprise AI deployments. Companies spend months vetting their LLM providers, negotiating data processing agreements, and setting up security controls. Then they install third-party skills from a marketplace with less scrutiny than they’d give a WordPress plugin.

This should worry us more than it does.

The NPM Problem All Over Again

Anyone who’s worked in software long enough remembers the npm ecosystem’s growing pains. For years, the JavaScript community operated on trust. Then we started seeing supply chain attacks — malicious packages with names one character off from popular libraries, legitimate packages hijacked through compromised maintainer accounts, dependencies that sat dormant for months before activating.

AI agent marketplaces are heading down the same path, but faster and with higher stakes.

Take the numbers from ClawHub, one of the larger ecosystems. Recent security research found that 36.82% of available skills had documented vulnerabilities. Not zero-days — just straight-up known issues that hadn’t been patched. Even more concerning, investigators traced 341 malicious skills back to what appears to be a coordinated campaign by a single group.

Think about what that means. Someone is deliberately building an arsenal of compromised AI agent skills and distributing them through public marketplaces. They’re not targeting specific companies — they’re building infrastructure that will compromise whoever installs the skill, then waiting.

Why AI Agent Attacks Are Different

Here’s what makes AI agent security particularly tricky. Traditional software security focuses on code execution and data access. Those still matter, but AI agents add new attack surfaces.

Context pollution. An agent’s effectiveness depends on the context it maintains across conversations. A malicious skill can subtly corrupt that context, leading the agent to make decisions that seem reasonable but serve the attacker’s goals. CSIRO’s Responsible AI Network has documented cases where this happened without any obvious red flags.

Privilege escalation through natural language. Agents often have access to APIs and systems that would normally require explicit authentication. A compromised skill can trick an agent into using those privileges in unintended ways, and because the commands look like natural language rather than suspicious API calls, they slip past traditional monitoring.

Data exfiltration at scale. Once an agent has access to your Slack, Teams, or internal wikis, a malicious skill can systematically extract information over weeks or months. Not in obvious bulk dumps that trigger DLP tools, but through casual-looking queries spread across time.

Persistence without installation. Traditional malware needs to install itself somewhere. A malicious AI agent skill just needs to remain in your agent’s configuration. Remove it from the marketplace, fine — but everyone who already installed it still has it running.

The Marketplace Incentive Problem

I don’t think marketplace operators are being negligent. Most are genuinely trying to balance security with ecosystem growth. But the incentives are misaligned.

For a marketplace to succeed, it needs volume. Thousands of skills. Frequent updates. An active developer community. That means lowering barriers to entry, which often means lighter security review processes.

Meanwhile, skill developers are optimizing for adoption metrics. They want installs, ratings, and usage stats. Security takes time and doesn’t show up in those metrics until something goes wrong.

The result? An ecosystem where everyone’s individual incentives push toward less security, even though collectively we all want more of it.

What Actually Needs To Change

First, we need standardized security disclosure for AI agent skills. Not just “this skill can read your messages” — that’s useless. I need to know specifically which APIs it calls, what data it stores, and where that data goes. The OWASP LLM Security Verification Standard provides a framework, but it’s not widely adopted yet.

Second, marketplaces need mandatory security review, not just automated scanning. I’ve seen too many sophisticated attacks that pass automated checks. They’re designed to. You need humans reviewing code, especially for skills that request elevated permissions.

Third, we need better sandboxing. Skills shouldn’t have unrestricted access to agent capabilities by default. There should be clear permission boundaries, and agents should enforce them at runtime.

Fourth, supply chain transparency. If a skill depends on external libraries or services, that should be documented and monitored. When dependencies change, skills should be re-reviewed before the changes propagate to production deployments.

The Australian Context

Working in Melbourne’s enterprise sector, I’ve noticed Australian companies tend to be more cautious about third-party code than their Silicon Valley counterparts. That caution is serving us well here.

Under Australian privacy law, companies remain liable for data breaches even if they’re caused by third-party components. That legal framework creates real incentives for thorough vetting. It’s not enough to say “we trusted the marketplace” when customer data gets compromised through a malicious skill.

I’ve also seen increased scrutiny from boards and audit committees. They’re asking harder questions about AI security than they were even a year ago. That’s healthy pressure.

Where We Go From Here

I’m not pessimistic about AI agent platforms. The technology is transformative when deployed properly. But we’re at a critical juncture.

Right now, the industry can choose to take security seriously before we have a major incident that forces us to. That means building better marketplace security infrastructure, even if it slows down ecosystem growth in the short term.

Or we can keep optimizing for adoption and deal with the inevitable breach, regulatory response, and loss of trust that follows. Given that we’ve seen this exact pattern play out with mobile app stores, browser extensions, and package managers, I’d hope we could learn from history.

The enterprises I work with don’t want to be guinea pigs for AI agent security. They want to deploy these tools confidently, knowing their risk exposure is understood and managed. That’s reasonable.

The AI agent marketplace ecosystem needs to meet that expectation. Not eventually — now, while the patterns are still being established and before security-by-default becomes “too hard to retrofit.”

Because if there’s one thing I’ve learned watching enterprise technology evolve over the past decade, it’s this: security you add later is never as effective as security you build in from the start. And it’s always more expensive.