You run npm audit before every deploy. You pin your dependency versions, watch for CVEs, and think hard before touching the lockfile. You have a mental model for supply chain risk, and you actually apply it.
Your AI agents have a dependency tree too. It is called a skill registry. And when Cisco researchers analysed 31,000 agent skills in January 2026, 26% of them contained at least one security vulnerability. The number-one ranked skill on MolthHub — the primary skill registry for OpenClaw — was, under scrutiny, functionally malware.
At the same time, PromptArmor documented a second attack class that requires no user interaction at all. AI agents integrated into messaging platforms like Microsoft Teams or Telegram can be tricked into exfiltrating sensitive data through automatic link preview fetches. No click required. No awareness required.
These are not theoretical. This article maps both threat classes to frameworks you already know, walks through the attack chains, and gives you a practical starting point for finding out what your team has already deployed. For the broader agentic threat landscape, the pillar article covers the full risk picture. For the underlying injection mechanics, see indirect prompt injection as the enabling mechanism.
Your AI agents have a dependency tree — and 26% of it may be compromised
The structural analogy is pretty direct. An npm package is third-party code installed and executed inside your application’s trust boundary. An AI skill is third-party instructions, scripts, and resources installed and executed inside your AI agent’s trust boundary.
The registries — ClawHub for OpenClaw, Claude Skills from Anthropic, OpenAI Codex Skills — work like open registries where anyone can publish. Popularity signals serve as loose proxies for legitimacy. There is no systematic pre-publication security review. That is npm circa 2015, before the tooling matured.
Here is the critical difference: what “code” means in this context. An AI skill is often a markdown file. In an agent ecosystem, markdown is an installer. As 1Password‘s Jason Meller put it: “Markdown isn’t ‘content’ in an agent ecosystem. Markdown is an installer — ‘run this command,’ ‘paste this in Terminal.'” Your SCA scanner has no visibility into a natural-language instruction that tells an AI agent to silently exfiltrate your credentials.
The blast radius is also bigger than a typical npm package. A skill runs with the agent’s full permissions: local file system access, shell command execution, environment config files storing API keys and database credentials, and messaging integrations across WhatsApp, Slack, Teams, Telegram, and Discord.
If your team has installed 15 agent skills, statistical expectation puts three to five of them containing at least one vulnerability. There is no skill lockfile, no version pinning, no provenance signing. The Cisco Skill Scanner for supply chain assessment is the closest thing to npm audit now available.
What did the Cisco research find when it scanned the number-one ranked skill on MolthHub?
In January 2026, Cisco researchers Amy Chang and Vineeth Sai Narajala pulled the top-ranked skill from MolthHub and ran it through their Skill Scanner. The skill was called “What Would Elon Do?” and its popularity had been artificially inflated.
The scanner returned nine security findings: two critical, five high severity. The skill was functionally malware. It instructed the bot to execute a curl command sending data to an external server controlled by the skill author — silently, without user awareness — and ran a direct prompt injection to force the assistant to bypass its safety guidelines. High severity findings included command injection via embedded bash commands and tool poisoning with malicious payloads in the skill files.
This is the AI skill equivalent of a typosquatted npm package that runs malicious postinstall scripts. The only difference is that the “script” is a natural-language instruction the agent interprets as legitimate, which means your existing tooling cannot catch it.
AuthMind documented 230 malicious skills in the OpenClaw/ClawHub ecosystem since January 27, 2026. A 1Password analysis found a “Twitter” skill — top downloaded at the time — that appeared normal but delivered macOS infostealing malware targeting browser sessions, saved credentials, developer tokens, SSH keys, and cloud credentials. The ClickFix technique runs through many of these: skills display fake UI prompts instructing users to paste commands in Terminal. For the full documented incident record, see the OpenClaw and MolthHub incident record.
How does zero-click exfiltration through messaging app link previews actually work?
In February 2026, PromptArmor documented an attack class that requires no user interaction beyond having an AI agent deployed in a messaging channel. Here is the attack chain using Microsoft Teams and Copilot Studio:
- An attacker crafts a message containing an indirect prompt injection payload.
- The AI agent processes the message, interpreting the injected instructions as legitimate directives.
- The injected prompt instructs the agent to construct a URL containing sensitive data — API keys, session context, internal document content — as query parameters on an attacker-controlled domain.
- The agent generates a response containing this URL. In the EchoLeak variant (CVE-2025-32711), the Teams chat UI automatically fetches the embedded image URL on render.
- To bypass Content Security Policy, the exploit used Microsoft Teams’ own asynchronous preview API — an allowed domain — to proxy the request to the attacker’s server.
- The attacker captures the stolen data from server request logs. The victim sees nothing.
The attack is zero-click because the only trigger is the AI agent processing the message. “Don’t click suspicious links” is categorically irrelevant when the link is never presented to a human.
EchoLeak was patched by Microsoft in May 2025. It bypassed four defences in sequence: Microsoft’s XPIA prompt-injection classifier, Copilot’s link redaction mechanisms, image auto-fetch Content Security Policy, and CSP domain controls via the Teams proxy allowlist. Each layer was individually insufficient. The patch addressed that specific chain; the structural pattern persists across other platforms. PromptArmor operates aitextrisk.com to test specific combinations.
Which messaging platforms create the most risk for AI agent deployments?
The risk is combinatorial — it depends on the messaging platform’s link preview behaviour combined with the AI agent’s response handling. Neither alone determines the outcome.
Microsoft Teams with Copilot Studio is the highest-volume risk, accounting for the largest share of link preview fetches in PromptArmor’s data because of enterprise deployment scale. EchoLeak is patched for that specific chain, but the structural pattern persists for other agent integrations. Telegram with OpenClaw is the highest-risk-per-fetch option: link previews are enabled by default and require a manual config change to mitigate — one most users will never make. Discord with OpenClaw and Slack with Cursor Slackbot are both documented at-risk. Slack is especially relevant given how embedded it is in developer toolchains.
On the safer end: the Claude App in Slack and OpenClaw on WhatsApp are reported lower-risk in PromptArmor’s current data. Signal with a containerised Docker deployment of OpenClaw is reported safe but requires infrastructure most teams will not maintain.
“Safer” is not “certified safe” — those designations reflect current PromptArmor data, not permanent guarantees. The real question is which combinations your team is actually running. Use aitextrisk.com to check your specific setup.
What does shadow AI actually look like inside a 150-person company?
Here is a specific pathway rather than an abstract risk description.
A backend developer downloads OpenClaw for personal productivity. It is free, open-source, and well-reviewed on GitHub. They connect it to their work Slack account and work email. They install four community skills from ClawHub. One contains malicious code — and they had no way to know that.
OpenClaw now has access to every Slack message in every channel their account can read, the ability to send messages as that user, their entire email history, their local file system including AWS credentials and database passwords, their GitHub personal access token, and persistent memory of all interactions. OpenClaw has a Telegram interface with default link preview behaviour enabled. Zero-click exfiltration is possible. Your IT team has zero visibility.
AuthMind documented this exact scenario as a representative case study. Bitsight observed more than 30,000 distinct OpenClaw instances exposed online between January 27 and February 8, 2026, appearing in healthcare, finance, government, and insurance environments.
Here is the critical distinction from shadow IT: a developer using Dropbox creates a data residency risk. A developer running OpenClaw creates an autonomous agent that can send messages, execute shell commands, and interact with external services without per-action approval. In a 150-person company with 30 developers, three running OpenClaw means three unvetted agents with full access to corporate channels. For shadow AI governance in the adoption playbook, ART003 covers the response.
How do you find out what your team has already deployed?
Start with discovery before governance. You cannot govern what you do not know exists.
Network footprint. Look for rapid sequential API calls, off-hours access spikes, and new OAuth grants that do not correspond to IT-approved integrations. AI agents have identifiable network signatures.
Credential exposure surface. Map where developer credentials live on your endpoints — environment config files, personal access tokens, cloud credentials, and broad-scope OAuth tokens. These are what an unvetted skill targets first.
Messaging platform integrations. Review Slack and Teams app integrations and bot connections for anything not provisioned through IT. OpenClaw connects across WhatsApp, Slack, Teams, Telegram, and Discord.
Direct conversation with your team. Ask what AI tools people are using, framed as enablement rather than enforcement. You will get honest answers if it does not feel like an interrogation.
Skill inventory. For any discovered deployments, identify installed skills and run each through the Cisco Skill Scanner. It combines static analysis, behavioural analysis, LLM-assisted semantic analysis, and VirusTotal integration — the closest equivalent to npm audit for AI skills. See open-source tooling for skill vetting for a full treatment.
After discovery: establish an AI tool allowlist, make skill scanning a gate before production use, assess platform combinations using aitextrisk.com, and be clear on what is patched versus structural. EchoLeak is patched. The skill supply chain risk and shadow AI entry pathway require ongoing governance.
One misconception worth addressing: MCP (Model Context Protocol) does not provide a security sandbox. It is a communication protocol — a doorbell, not a door lock. Skills do not need to use MCP at all and can bundle executable scripts that run outside the MCP tool boundary. The goal is safe adoption, not prohibition. For responding to employee-adopted agent tools and a complete browser-agent security overview, those resources cover the broader response.
Frequently Asked Questions
What is an AI skill and how does it differ from a browser extension or plugin?
An AI skill is an organised folder of instructions, scripts, and resources an agent loads dynamically to perform specialised tasks. Unlike browser extensions that operate in a sandboxed environment with per-use approval, AI skills are invoked autonomously at runtime with the agent’s full permissions — file system, shell commands, and messaging integrations. There is no meaningful boundary between “reading the skill” and “executing the skill.”
What is cross-prompt injection (XPIA) and how does it differ from direct prompt injection?
XPIA is Microsoft’s term for indirect prompt injection that crosses context boundaries. The attacker embeds malicious instructions in external content — a document, webpage, or message — that the AI agent processes as data. Unlike direct prompt injection, where the attacker controls user input directly, XPIA exploits the agent’s retrieval of untrusted external content. The victim sees nothing unusual.
Can an AI agent in my Slack or Teams account leak data without anyone clicking anything?
Yes. If an AI agent is integrated into a messaging platform with link previews enabled, an attacker can craft a message that tricks the agent into generating a URL containing sensitive data on an attacker-controlled domain. The platform’s link preview automatically fetches that URL, sending data to the attacker’s server with zero user interaction. PromptArmor documented this chain in February 2026 across multiple platform and agent combinations.
Is OpenClaw safe to use on a work computer?
OpenClaw’s own documentation states: “There is no ‘perfectly secure’ setup.” It runs shell commands, reads and writes files, and executes scripts. It has been documented to leak plaintext API keys. If an employee connects it to work accounts, corporate data becomes accessible to an unvetted agent running unscanned skills. 1Password’s guidance: “If you have already run OpenClaw on a work device, treat it as a potential incident and engage your security team immediately.”
Does MCP (Model Context Protocol) provide a security sandbox for AI skills?
No. MCP is a communication protocol for connecting AI agents to external tools and data sources. It does not sandbox skill execution, validate skill content, or prevent malicious behaviour. Skills do not need to use MCP at all and can bundle executable scripts that run outside the MCP tool boundary.
How do I test whether my messaging platform and AI agent combination is vulnerable to link preview exfiltration?
PromptArmor operates aitextrisk.com, where you can check whether your specific AI agent and messaging platform combination triggers insecure link previews. It provides empirical data on which combinations are currently safe versus vulnerable.
What is the difference between a patched vulnerability and a structural vulnerability in AI agent security?
A patched vulnerability has a specific fix — EchoLeak (CVE-2025-32711) was patched in May 2025; the Telegram/OpenClaw issue can be fixed with a config change. A structural vulnerability has no single fix. The AI skill supply chain has no certification standard, no lockfile equivalent, no provenance system. Structural vulnerabilities require ongoing governance, not one-time patches.
How many malicious AI skills have been found in skill registries?
AuthMind documented 230 malicious skills in the OpenClaw/ClawHub ecosystem since January 27, 2026. Cisco found 26% of 31,000 agent skills analysed contained at least one vulnerability. The #1 ranked skill on MolthHub — scanned by Cisco researchers Amy Chang and Vineeth Sai Narajala — returned nine security findings including two critical and five high severity.
What tools are available for scanning AI skills for malicious content?
Cisco’s open-source Skill Scanner (github.com/cisco-ai-defense/skill-scanner) combines static analysis, behavioural analysis, LLM-assisted semantic analysis, and VirusTotal integration. It provides severity ratings, file locations, and actionable guidance — the closest equivalent to npm audit for AI skills.
What should my team know about using AI browsers before we roll them out company-wide?
Audit for existing shadow AI deployments first. Establish an AI tool allowlist with procurement review criteria. Require Cisco Skill Scanner analysis before any skill is approved. Assess messaging platform and agent combinations using PromptArmor’s aitextrisk.com. Configure link preview settings where platforms allow. And ensure everyone understands that AI agents act autonomously — they read, write, send, and execute on behalf of whoever connected them.
What is the CiteMET npm package and why is it relevant to AI agent security?
CiteMET and tools like the AI Share URL Creator give attackers no-code access to link-based memory manipulation — the ability to inject content into an AI agent’s context without custom exploit code. Their existence means the zero-click exfiltration and supply chain techniques in this article are accessible to a broader attacker population than the underlying mechanics might suggest.
