The Hidden Code in Your AI Assistant: A New Tool Tackles a Growing Threat

NEW YORK, NY – June 16, 2026 – The rapid proliferation of autonomous AI agents is creating a new, treacherous frontier for cybersecurity. As developers rush to enhance these agents with third-party "skills" downloaded from public repositories, they are often unknowingly introducing malicious code that can lead to data theft, credential exfiltration, and system compromise. Addressing this critical security gap, cybersecurity firm Mitiga has launched Skillgate, a free tool designed to scan and vet the configuration files that power these increasingly capable AI systems.

The problem stems from a culture of speed and convenience that mirrors the early, insecure days of other software ecosystems. “People install skills the way we used to double-click email attachments – quickly and without looking inside,” said Idan Cohen, a Cloud Security Researcher at Mitiga. “A skill, hook, or CLAUDE.md file contains instructions that an agent will execute automatically. Skillgate helps users understand what’s actually in those files and assess the risk before an agent loads them.”

The Unseen Risk in the AI Supply Chain

At the heart of the issue is the AI supply chain. Modern AI agents are not monolithic; they are modular systems designed to integrate tools and skills that allow them to perform complex tasks like reading files, accessing APIs, and managing code. While this extensibility is powerful, it creates a significant attack surface. A recent industry study reveals a stark reality: while 82% of enterprises are deploying AI agents, only 44% have established policies to secure them, and one in five organizations reports already having experienced an agent-related breach.

Mitiga Labs, the company’s research division, quantified this threat in its "License to Skill" research series. Over six months, researchers analyzed more than 50,000 AI instruction files from over 7,000 public repositories. The findings were alarming. They uncovered over 1,230 hardcoded API keys and tokens left exposed in agent configurations, a treasure trove for any attacker. They also documented active attack techniques, such as configurations that rerouted traffic from the AI model Claude through attacker-controlled proxy servers, effectively eavesdropping on sensitive interactions.

The research detailed concrete examples of these "poisoned skills." In one case, a seemingly harmless testing skill was engineered to silently copy and exfiltrate an entire codebase to an attacker's repository, all without any user prompts or audit logs. In another, a malicious "hook"—a script configured to run at the start of every agent session—covertly shipped local developer credentials to an external server. These poisoned skills spread through blogs and public marketplaces, much like malicious packages have historically spread through open-source software registries.

A Safety Net for the Agentic Frontier

In response to these findings, Mitiga developed Skillgate. The free tool allows any user to paste a public GitHub repository URL and initiate a scan. The system analyzes the agent’s configuration files—including skills, hooks, and instruction files for models like Claude—without executing any code. It uses a combination of signature analysis, Abstract Syntax Tree (AST) analysis to understand the code’s structure and data flow, and even an LLM-as-judge to assess semantic intent.

The process maps any discovered vulnerabilities to known attack techniques, providing a comprehensive report within minutes. This report includes a risk score out of 100, a clear verdict—Clean, Risky, Suspicious, or Dangerous—and detailed explanations for each finding, along with recommended fixes. With over 80 detection rules covering six major technique families like prompt manipulation and supply chain poisoning, the tool offers a robust first line of defense.

Crucially, the findings are mapped to established cybersecurity frameworks, including the MITRE ATT&CK and ATLAS frameworks, as well as the emerging OWASP Agentic AI Top 10. This alignment helps security teams contextualize the threats within their existing risk management programs. "AI agents and skills are now wired into cloud, SaaS, and developer pipelines, yet they incorporate third-party instructions most teams never review," said Ofer Maor, Co-Founder and Chief Technology Officer at Mitiga. "Skillgate gives the community a practical safety net so they can use the wealth of publicly available skills they find with increased confidence."

Democratizing AI Safety

By offering Skillgate at no cost, Mitiga is making a strategic move to democratize AI safety. The initiative empowers individual developers, startups, and academic researchers—groups that may lack dedicated security budgets—to adopt agentic AI with greater confidence. This approach fosters a safer environment for innovation, allowing the community to experiment with cutting-edge technology while mitigating some of its most immediate dangers.

This effort is part of a growing industry-wide recognition of the problem. Other organizations, like Cisco, have also released open-source tools to scan AI skills, signaling a consensus that the agentic AI ecosystem requires foundational security layers to thrive. These tools function like an antivirus for AI extensions, providing a much-needed inspection layer for a new class of software components. By providing an accessible, easy-to-use scanner, Mitiga is helping establish a baseline security practice for a field still in its infancy.

The goal is to shift developer behavior from blind trust to proactive verification, transforming the installation of a new AI skill from a risky click into a vetted, informed decision. This cultural shift is essential for building a resilient AI ecosystem where the benefits of shared innovation do not come at the cost of security.

Shifting from Prevention to Resilience

The emergence of tools like Skillgate signals a broader evolution in cybersecurity strategy, moving beyond traditional prevention-focused models toward a more holistic concept of resilience. The autonomous and unpredictable nature of AI agents means that some attacks will inevitably bypass initial defenses. Therefore, security must encompass not only prevention but also detection, investigation, and rapid response.

For enterprise CISOs and security architects, this means rethinking their security posture. The new attack surface introduced by AI requires visibility across cloud, SaaS, and developer environments to track agent behavior and intervene before a minor anomaly escalates into a major breach. Integrating scanners like Skillgate into CI/CD pipelines is a critical first step, but it must be part of a larger strategy that includes sandboxing agent execution, enforcing the principle of least privilege, and maintaining rigorous auditing and monitoring.

Mitiga’s own platform is built on this philosophy of "agentic runtime security," designed to provide a safety net with the understanding that attacks are inevitable. By tracking activity as it happens and decoding it into a clear attack timeline, the approach focuses on containing active threats before they cause business impact. Skillgate represents the proactive, community-facing element of this strategy, aiming to reduce the number of threats that enter the ecosystem in the first place. This proactive security posture is not just a best practice; it is a prerequisite for responsibly harnessing the transformative potential of agentic AI.