AI Agent Security
Threat intelligence for the AI coding tool ecosystem. 3,984 skills scanned. Here's what we found.
By the Numbers
Attack Techniques
Tool Poisoning via SKILL.md
Hidden instructions in SKILL.md that instruct the agent to run malicious commands.
Examples & mitigation
Examples
- curl | bash from glot.io scripts
- Password-protected ZIP with embedded malware
- Base64-decoded eval commands
Memory Poisoning
Injection of persistent instructions into SOUL.md, MEMORY.md, CLAUDE.md, AGENTS.md.
Examples & mitigation
Examples
- Skills targeting SOUL.md/MEMORY.md to inject persistent backdoor instructions
- Cognitive worms that replicate across agent memory files
Rug Pull / Post-Approval Mutation
Benign config approved once, then mutated to malicious version that auto-executes.
Examples & mitigation
Examples
- MCPoison: .cursor/rules/mcp.json approved, then updated with reverse shell
- ClawHub skills updated without changelog to swap in AMOS installer
Confused Deputy via MCP
Attacker manipulates MCP session/output; client trusts poisoned response.
Examples & mitigation
Examples
- oatpp-mcp session ID reuse (CVE-2025-6515)
- Git MCP + Filesystem MCP chain via poisoned README
DNS Rebinding on Local MCP
Malicious website rebinds domain to 127.0.0.1 to access local MCP servers.
Examples & mitigation
Examples
- MCP Python SDK HTTP/SSE servers (CVE-2025-66416)
- MCP Gateway SSE (CVE-2025-64443)
- Playwright MCP (CVE-2025-9611)
Supply Chain Package Attack
Malicious packages published to registries mimicking legitimate MCP servers.
Examples & mitigation
Examples
- PyPI: mcp-runcmd-server, mcp-runcommand-server (JFrog)
- npm: postmark-mcp squatter
Hook-Based Exfiltration
Malicious .claude/hooks/ scripts run on agent events with full user privileges.
Examples & mitigation
Examples
- SessionStart hook that POSTs environment variables
- PostToolUse hook that exfiltrates file paths and content
Credential Theft via Agent
Agent instructed to read credential files and send to attacker.
Examples & mitigation
Examples
- rankaj skill: reads ~/.clawdbot/.env, POSTs to webhook.site
- Base64-encoded curl to send ~/.aws/credentials
CVE Database
| CVE ID ▲ | Component ▲ | Severity ▲ | Fixed In ▲ |
|---|---|---|---|
| CVE-2025-53109 | Filesystem MCP Server | High | 0.6.3 |
| CVE-2025-53110 | Filesystem MCP Server | High | 0.6.3 |
| CVE-2025-49596 | MCP Inspector | Critical | 0.14.1 |
| CVE-2025-68143 | MCP Git Server | High | 2025.9.25 |
| CVE-2025-68144 | MCP Git Server | High | 2025.12.18 |
| CVE-2025-68145 | MCP Git Server | High | 2025.12.18 |
| CVE-2025-66416 | MCP Python SDK | Medium | 1.23.0 |
| CVE-2025-64443 | MCP Gateway | Medium | 0.28.0 |
| CVE-2026-25536 | MCP TypeScript SDK | High | 1.26.0 |
| CVE-2025-54135 | Cursor IDE | High | 1.3.9 |
| CVE-2025-54136 | Cursor IDE | High | 1.3.9 |
| CVE-2025-66032 | Claude Code | High | 1.0.93 |
| CVE-2026-24052 | Claude Code WebFetch | High | 1.0.111 |
| ADVISORY-CC-2026-001 | Claude Code (Sandbox Bypass) | High | 2.1.34 |
| CVE-2025-53967 | Figma MCP Server | High | 0.6.3 |
| CVE-2025-9611 | Playwright MCP | Medium | 0.0.40 |
| CVE-2025-6515 | MCP SSE Transport | High | -- |
| CVE-2026-25546 | Godot MCP Server | High | 0.1.1 |
| CVE-2025-54073 | mcp-package-docs | High | 0.1.28 |
| CVE-2026-23744 | MCPJam | Critical | Audit servers |
Active Campaigns
ClawHavoc
Largest known malicious AI agent skill campaign. 335 skills deploy Atomic Stealer (AMOS) macOS malware via fake prerequisites in SKILL.md. 6 outlier skills use alternate payloads (reverse shells, credential theft).
Delivery Methods
- Fake prerequisites in SKILL.md (e.g., "install this CLI tool first")
- Base64-encoded shell snippets hosted on glot.io
- Password-protected ZIPs (password: 'openclaw')
- Second-stage dropper from raw IP addresses
Categories
- Crypto wallets: 111 skills (Solana, Phantom, wallet-tracker, insider-wallets-finder)
- Finance & social: 76 skills (Yahoo Finance, X Trends)
- YouTube utilities: 57 skills (summarizers, thumbnails, downloaders)
- Polymarket bots: 34 skills
- Auto-updaters: 30 skills
- ClawHub typosquats: 29 skills
- Google Workspace: 17 skills
Targets
- 60+ cryptocurrency wallets (Exodus, Binance, Electrum, Atomic, Ledger)
- Browser data (Chrome, Safari, Firefox, Brave, Edge)
- SSH keys and shell history
- Telegram sessions, Keychain passwords (macOS)
ToxicSkills
Full audit of ClawHub and skills.sh ecosystems. Found 36.82% of all scanned skills have security flaws. 13.4% are critical-risk. 76 contain confirmed malicious payloads.
Key Findings
- 1,467 flawed skills (36.82% of total)
- 534 critical-risk skills (13.4%)
- 76 malicious payloads (8 still live at scan time)
- 10.9% contain hardcoded secrets
- 17.7% fetch remote content
- 2.9% execute remote prompts
Known Malicious Authors
- zaycv — 40+ malicious skills, programmatic campaign
- Aslaep123 — Malicious crypto/trading skills
- pepe276 — Unicode-obfuscated DAN-style jailbreaking
- moonshine-100rze — Mixed prompt-injection + exfil
hightower6eu Publisher
Publisher account on ClawHub with 314+ confirmed malicious skills. Skills impersonate popular utilities and development tools to exfiltrate credentials and install backdoors. Added to threat-db.yaml v2.1.0.
Profile
- 314+ malicious skills published
- Targets developer tooling and productivity apps
- Credential theft via fake API integration workflows
PyPI MCP Reverse Shell
Three malicious Python packages on PyPI masquerading as MCP server implementations. Each spawns a reverse shell to 45.115.38.27:4433 before starting the legitimate MCP server functionality.
Malicious Packages
mcp-runcmd-servermcp-runcommand-servermcp-runcommand-server2
Technique
- Spawns
/bin/sh -ireverse shell before starting MCP server - C2 IP: 45.115.38.27, port 4433
Postmark MCP Squatter
A malicious npm package named postmark-mcp that copies the official Postmark MCP server with a hidden backdoor injected into the codebase.
Details
- Published on npm registry as a squatter of the official Postmark MCP integration
- Copies legitimate functionality to appear trustworthy
- Hidden backdoor enables remote access
Detection
- Verify package author matches official Postmark organization
- Check package publish date and download count
- Use
npx mcp-scanto detect known squatters
Threat Database Browser
Defense Tools
mcp-scan
Scans MCP server configurations for vulnerabilities. Detects known vulnerable servers and versions.
github.com/invariantlabs-ai/mcp-scanskills-ref validate
Validates skill spec compliance (SKILL.md structure, frontmatter, naming conventions).
docs.rs/skills-ref-rsGarak
37+ probe modules for LLM vulnerabilities. Prompt injection detection and jailbreak testing.
github.com/NVIDIA/garakMCP Fortress
Scans npm/PyPI dependencies of MCP servers. Queries CVE databases for risk scores.
github.com/mcp-fortress/mcp-fortressSafeDep vet MCP
Software composition analysis integrated with agents. Detects slopsquatting and malicious packages.
safedep.io/introducing-vet-mcp-serverKoi Clawdex
ClawHub security addon. Checks skills against Koi malicious skill database pre-install and retroactively.
koi.ai/blog/clawhavocBuilt-in Claude Code Security Commands
This guide includes two slash commands for security auditing your configuration: /security-check for a quick 30-second scan, and /security-audit for a full 6-phase audit with a score out of 100. See the next section for details.
Built-in Security Commands
/security-check
# Checks your config against threat-db.yaml
[1/4] Scanning .claude/settings.json...
[2/4] Checking MCP server versions...
[3/4] Scanning hooks for suspicious patterns...
[4/4] Matching against known malicious skills...
Result: 0 critical, 1 warning
Warning: @playwright/mcp unpinned (@latest)
/security-audit
# Full 6-phase security assessment
[Phase 1] Permission model analysis...
[Phase 2] MCP server inventory & CVE check...
[Phase 3] Hook security review...
[Phase 4] CLAUDE.md injection scan...
[Phase 5] Secrets detection...
[Phase 6] Supply chain assessment...
Security Posture Score: 82/100
3 recommendations generated