AI Agent Security

Threat intelligence for the AI coding tool ecosystem. 3,984 skills scanned. Here's what we found.

Threat DB v2.0.0 — Updated Feb 2026
Explore Threats Read Hardening Guide →

By the Numbers

0
Skills Scanned
0
Have Flaws
0
Critical-Risk
0
Malicious Payloads
0
CVEs Tracked
0
Exposed Servers

Attack Techniques

T001

Tool Poisoning via SKILL.md

Hidden instructions in SKILL.md that instruct the agent to run malicious commands.

ClawHavoc ToxicSkills
Examples & mitigation

Examples

  • curl | bash from glot.io scripts
  • Password-protected ZIP with embedded malware
  • Base64-decoded eval commands
Scan SKILL.md for shell commands; never auto-execute prerequisites.
T002

Memory Poisoning

Injection of persistent instructions into SOUL.md, MEMORY.md, CLAUDE.md, AGENTS.md.

ToxicSkills
Examples & mitigation

Examples

  • Skills targeting SOUL.md/MEMORY.md to inject persistent backdoor instructions
  • Cognitive worms that replicate across agent memory files
Treat memory files as config; require code review for changes; monitor diffs.
T003

Rug Pull / Post-Approval Mutation

Benign config approved once, then mutated to malicious version that auto-executes.

CVE-2025-54136
Examples & mitigation

Examples

  • MCPoison: .cursor/rules/mcp.json approved, then updated with reverse shell
  • ClawHub skills updated without changelog to swap in AMOS installer
Hash verification on configs; re-approval on any change.
T004

Confused Deputy via MCP

Attacker manipulates MCP session/output; client trusts poisoned response.

CVE-2025-6515 CVE-2025-68143
Examples & mitigation

Examples

  • oatpp-mcp session ID reuse (CVE-2025-6515)
  • Git MCP + Filesystem MCP chain via poisoned README
Cryptographic session IDs; input validation; least-privilege for MCP tools.
T005

DNS Rebinding on Local MCP

Malicious website rebinds domain to 127.0.0.1 to access local MCP servers.

CVE-2025-66416 CVE-2025-9611
Examples & mitigation

Examples

  • MCP Python SDK HTTP/SSE servers (CVE-2025-66416)
  • MCP Gateway SSE (CVE-2025-64443)
  • Playwright MCP (CVE-2025-9611)
Use stdio transport; enable DNS rebinding protection; authenticate local servers.
T006

Supply Chain Package Attack

Malicious packages published to registries mimicking legitimate MCP servers.

PyPI MCP Postmark npm
Examples & mitigation

Examples

  • PyPI: mcp-runcmd-server, mcp-runcommand-server (JFrog)
  • npm: postmark-mcp squatter
Verify package author; check download counts; use SafeDep vet.
T007

Hook-Based Exfiltration

Malicious .claude/hooks/ scripts run on agent events with full user privileges.

Claude Code
Examples & mitigation

Examples

  • SessionStart hook that POSTs environment variables
  • PostToolUse hook that exfiltrates file paths and content
Review all hooks; forbid auto-running hooks from untrusted repos; maintain hook allowlist.
T008

Credential Theft via Agent

Agent instructed to read credential files and send to attacker.

ClawHavoc ToxicSkills
Examples & mitigation

Examples

  • rankaj skill: reads ~/.clawdbot/.env, POSTs to webhook.site
  • Base64-encoded curl to send ~/.aws/credentials
Block agent access to .env, .aws, .ssh directories; use pre-execution hooks.

CVE Database

CVE ID Component Severity Fixed In
CVE-2025-53109Filesystem MCP ServerHigh0.6.3
CVE-2025-53110Filesystem MCP ServerHigh0.6.3
CVE-2025-49596MCP InspectorCritical0.14.1
CVE-2025-68143MCP Git ServerHigh2025.9.25
CVE-2025-68144MCP Git ServerHigh2025.12.18
CVE-2025-68145MCP Git ServerHigh2025.12.18
CVE-2025-66416MCP Python SDKMedium1.23.0
CVE-2025-64443MCP GatewayMedium0.28.0
CVE-2026-25536MCP TypeScript SDKHigh1.26.0
CVE-2025-54135Cursor IDEHigh1.3.9
CVE-2025-54136Cursor IDEHigh1.3.9
CVE-2025-66032Claude CodeHigh1.0.93
CVE-2026-24052Claude Code WebFetchHigh1.0.111
ADVISORY-CC-2026-001Claude Code (Sandbox Bypass)High2.1.34
CVE-2025-53967Figma MCP ServerHigh0.6.3
CVE-2025-9611Playwright MCPMedium0.0.40
CVE-2025-6515MCP SSE TransportHigh--
CVE-2026-25546Godot MCP ServerHigh0.1.1
CVE-2025-54073mcp-package-docsHigh0.1.28

Active Campaigns

ClawHavoc 341 skills • Koi Security • Feb 2026

Largest known malicious AI agent skill campaign. 335 skills deploy Atomic Stealer (AMOS) macOS malware via fake prerequisites in SKILL.md. 6 outlier skills use alternate payloads (reverse shells, credential theft).

Delivery Methods

  • Fake prerequisites in SKILL.md (e.g., "install this CLI tool first")
  • Base64-encoded shell snippets hosted on glot.io
  • Password-protected ZIPs (password: 'openclaw')
  • Second-stage dropper from raw IP addresses

Categories

  • Crypto wallets: 111 skills (Solana, Phantom, wallet-tracker, insider-wallets-finder)
  • Finance & social: 76 skills (Yahoo Finance, X Trends)
  • YouTube utilities: 57 skills (summarizers, thumbnails, downloaders)
  • Polymarket bots: 34 skills
  • Auto-updaters: 30 skills
  • ClawHub typosquats: 29 skills
  • Google Workspace: 17 skills

Targets

  • 60+ cryptocurrency wallets (Exodus, Binance, Electrum, Atomic, Ledger)
  • Browser data (Chrome, Safari, Firefox, Brave, Edge)
  • SSH keys and shell history
  • Telegram sessions, Keychain passwords (macOS)
ToxicSkills 3,984 scanned • Snyk • Feb 2026

Comprehensive audit of ClawHub and skills.sh ecosystems. Found 36.82% of all scanned skills have security flaws. 13.4% are critical-risk. 76 contain confirmed malicious payloads.

Key Findings

  • 1,467 flawed skills (36.82% of total)
  • 534 critical-risk skills (13.4%)
  • 76 malicious payloads (8 still live at scan time)
  • 10.9% contain hardcoded secrets
  • 17.7% fetch remote content
  • 2.9% execute remote prompts

Known Malicious Authors

  • zaycv — 40+ malicious skills, programmatic campaign
  • Aslaep123 — Malicious crypto/trading skills
  • pepe276 — Unicode-obfuscated DAN-style jailbreaking
  • moonshine-100rze — Mixed prompt-injection + exfil
PyPI MCP Reverse Shell 3 packages • JFrog • Dec 2025

Three malicious Python packages on PyPI masquerading as MCP server implementations. Each spawns a reverse shell to 45.115.38.27:4433 before starting the legitimate MCP server functionality.

Malicious Packages

  • mcp-runcmd-server
  • mcp-runcommand-server
  • mcp-runcommand-server2

Technique

  • Spawns /bin/sh -i reverse shell before starting MCP server
  • C2 IP: 45.115.38.27, port 4433
Postmark MCP Squatter npm • Defender's Initiative • Nov 2025

A malicious npm package named postmark-mcp that copies the official Postmark MCP server with a hidden backdoor injected into the codebase.

Details

  • Published on npm registry as a squatter of the official Postmark MCP integration
  • Copies legitimate functionality to appear trustworthy
  • Hidden backdoor enables remote access

Detection

  • Verify package author matches official Postmark organization
  • Check package publish date and download count
  • Use npx mcp-scan to detect known squatters

Threat Database Browser

Showing 0 of 0 skills

Defense Tools

mcp-scan

Invariant / Snyk

Scans MCP server configurations for vulnerabilities. Detects known vulnerable servers and versions.

github.com/invariantlabs-ai/mcp-scan

skills-ref validate

agentskills.io

Validates skill spec compliance (SKILL.md structure, frontmatter, naming conventions).

docs.rs/skills-ref-rs

Garak

NVIDIA

37+ probe modules for LLM vulnerabilities. Prompt injection detection and jailbreak testing.

github.com/NVIDIA/garak

MCP Fortress

mcp-fortress

Scans npm/PyPI dependencies of MCP servers. Queries CVE databases for risk scores.

github.com/mcp-fortress/mcp-fortress

SafeDep vet MCP

SafeDep

Software composition analysis integrated with agents. Detects slopsquatting and malicious packages.

safedep.io/introducing-vet-mcp-server

Koi Clawdex

Koi Security

ClawHub security addon. Checks skills against Koi malicious skill database pre-install and retroactively.

koi.ai/blog/clawhavoc

Built-in Claude Code Security Commands

This guide includes two slash commands for security auditing your configuration: /security-check for a quick 30-second scan, and /security-audit for a full 6-phase audit with a score out of 100. See the next section for details.

Built-in Security Commands

/security-check

Quick scan • ~30 seconds • Config vs known threats
$ /security-check

# Checks your config against threat-db.yaml
[1/4] Scanning .claude/settings.json...
[2/4] Checking MCP server versions...
[3/4] Scanning hooks for suspicious patterns...
[4/4] Matching against known malicious skills...

Result: 0 critical, 1 warning
Warning: @playwright/mcp unpinned (@latest)

/security-audit

Full audit • 2-5 minutes • 6 phases with score /100
$ /security-audit

# Full 6-phase security assessment
[Phase 1] Permission model analysis...
[Phase 2] MCP server inventory & CVE check...
[Phase 3] Hook security review...
[Phase 4] CLAUDE.md injection scan...
[Phase 5] Secrets detection...
[Phase 6] Supply chain assessment...

Security Posture Score: 82/100
3 recommendations generated

5-Minute Security Checklist

0/7
Complete

Sources & References

Snyk ToxicSkills

Feb 2026
snyk.io →

Koi Security ClawHavoc

Feb 2026
koi.ai →

SafeDep Threat Model

Jan 2026
safedep.io →

Cymulate EscapeRoute

Sep 2025
cymulate.com →

Checkpoint MCPoison

Oct 2025
checkpoint.com →

JFrog Prompt Hijacking

Oct 2025
jfrog.com →

JFrog PyPI MCP Reverse Shell

Dec 2025
research.jfrog.com →

Recorded Future MCP Inspector

Jul 2025
recordedfuture.com →

Flatt Security - 8 ways to pwn Claude

Aug 2025
flatt.tech →

SentinelOne WebFetch SSRF

Jan 2026
sentinelone.com →

Hacker News - MCP Git Server Flaws

Jan 2026
thehackernews.com →

Bitsight TRACE - Exposed MCP Servers

Jan 2026
bitsight.com →

Defender's Initiative - Postmark MCP

Nov 2025
defendersinitiative.substack.com →

SAFE-MCP Framework

Jan 2026
safemcp.org →