TL;DR
- CertiK launched Skill Scanner as a security layer for AI Skills following a wave of malicious tools spreading through public AI marketplaces.
- The platform focuses on execution-stage threats, including data exfiltration, shell execution, and unauthorized network activity.
- As AI agents gain access to wallets, APIs, and enterprise systems, security risks around third-party skills are becoming harder to ignore.
When attackers began uploading malicious skills to ClawHub in late January, the AI agent ecosystem received its first large-scale security wake-up call.
By mid-February, more than 1,180 poisoned skills had spread through OpenClaw’s public marketplace. The compromised listings accounted for roughly 12% of the entire registry. Skills with professional documentation and harmless-looking names such as “solana-wallet-tracker” were installing keyloggers on Windows machines and Atomic Stealer malware on macOS.
The underlying problem was simple. Anyone with a GitHub account older than one week could publish to ClawHub. There was no code review, no signing requirement, and no malware scanning.
Since February, the attack surface around AI agents and MCP infrastructure has widened considerably. A trojanized version of a legitimate MCP server, disguised as a Postmark integration, contained a single line of code that blind-copied outgoing emails to attackers. Internal memos, password resets, and invoices were quietly forwarded without user awareness.
Meanwhile, Microsoft patched a critical MCP server vulnerability in March through its Patch Tuesday release. The flaw, tracked as CVE-2026-26118, carried a CVSS severity score of 8.8. Separate analysis of more than 7,000 MCP servers found that over one-third were vulnerable to server-side request forgery attacks.
Traditional malware tools have also struggled to detect many of these threats. VirusTotal, which remains one of the industry’s most widely used malware scanning platforms, was not developed for agent-based execution environments.
Earlier software ecosystems went through the same cycle. Mobile app stores saw it. npm repositories saw it too. Adoption moved faster than security controls, and attackers moved in before platforms were ready.
CertiK now wants to become part of that infrastructure.
What CertiK Just Launched
CertiK launched Skill Scanner today, describing it as a purpose-built security layer for third-party AI Skills that evaluates risks before they reach user systems, wallets, or sensitive data.
The scanner evaluates five categories tied directly to emerging AI agent threats:
Users can submit a GitHub repository, URL, or ZIP file. The platform then returns a security score between 0 and 100 alongside pass, warn, or fail verdicts and a ranked list of findings.
According to CertiK, the system achieves up to 90.5% precision in identifying security risks.
One notable detail is the scanner’s focus on execution-stage behavior instead of relying only on static code analysis.
Several malicious AI skills appeared harmless during initial inspection and only activated dangerous behavior after installation or runtime execution. The Postmark MCP supply-chain attack is one example. The ClawHub malware campaign followed a similar pattern.
Static analysis alone probably would not have caught attacks like these.
CertiK said the scanner is designed for three primary groups:
- AI skill marketplaces that want to screen submissions before publication
- enterprises reviewing third-party tools before deployment
- independent developers performing self-audits before releasing skills publicly
Consumer-facing access remains on the roadmap.
The company also said the scanner supports both Web2 and Web3 environments.
That makes sense given how AI agents are increasingly interacting with wallets, APIs, internal systems, and sensitive user data regardless of whether blockchain infrastructure is involved.
>>> Read more: TrapDoor Malware Targets Crypto Developer Tools
Why CertiK Is Expanding Into AI Security
CertiK’s expansion into AI security builds on its background in smart contract auditing and Web3 infrastructure protection. It now applies these lessons to AI Agents.
Smart contracts execute autonomously, mistakes can become irreversible, and users often have limited visibility into underlying code behavior. AI agents increasingly operate under similar conditions. They often gain access to financial tools, file systems, email accounts, or production infrastructure.
The Skill Scanner launch follows CertiK’s earlier release of AI Auditor in April. That system identifies vulnerabilities in blockchain code during development and before deployment.
According to CertiK, AI Auditor achieved an 88.6% cumulative hit rate across 35 real-world Web3 security incidents from 2026. The company also reported relatively low false-positive rates.
The Skill Scanner launches roughly three months after the ClawHub compromise exposed weaknesses in public AI skill marketplaces. Platforms added retroactive scanning and VirusTotal integrations afterward, though the underlying publishing model largely stayed the same. Unverified skills could still enter public marketplaces.
CertiK is effectively betting that AI agents are entering the same stage previously seen with app stores, browser extensions, and open-source package registries.
>>> Read more: Fake Ledger App Steals $9.5M via Apple App Store
What Happens Next
AI agents are gradually receiving deeper access to financial systems, production environments, internal files, wallets, APIs, and enterprise infrastructure. At the same time, security controls governing third-party AI skills remain fragmented across much of the ecosystem.
The OWASP Agentic Skills Top 10, published earlier this year, formalized many of the risks researchers had already been tracking since January.
CertiK Skill Scanner does not fully solve the governance problem surrounding AI skills. Industry standards around code signing, behavioral sandboxing, marketplace review pipelines, and mandatory verification processes are still developing.
Even so, execution-focused scanning could become a baseline security requirement as AI agents gain broader autonomy.
The AI skill ecosystem is starting to face the same trust problems that shaped earlier software distribution platforms. Since many AI agents already have direct access to sensitive systems, financial infrastructure, and autonomous workflows, the stakes are considerably higher.
Readers’ frequently asked questions
What is Skill Scanner?
Skill Scanner is a security platform developed by CertiK to analyze AI Skills for malicious or risky behavior before they are deployed inside AI agent ecosystems. The system focuses on execution-stage threats such as data exfiltration, unauthorized shell commands, and suspicious network activity.
Why do AI Skills create security risks?
AI Skills can interact directly with wallets, APIs, enterprise systems, and sensitive data environments. If a malicious or compromised Skill gains access to these systems, it may execute harmful actions autonomously without immediate human oversight.
How is Skill Scanner different from traditional security scanning?
Traditional scanning tools often focus on static code analysis before deployment. Skill Scanner focuses more heavily on runtime and execution-stage behavior, helping detect threats that may only appear once an AI Skill is actively operating inside an agent environment.
What Is In It For You? Action items you might want to consider
Review third-party AI Skills before deployment
If your company is experimenting with AI agents or MCP integrations, review how third-party Skills are vetted before they gain access to internal systems, APIs, wallets, or sensitive workflows.
Monitor the security models of AI marketplaces
Public AI skill marketplaces are still developing their security standards. Pay attention to whether platforms use code signing, behavioral analysis, or verification systems before installing external Skills.
Treat AI agent security as an infrastructure issue
AI agents are increasingly connected to financial systems, enterprise tools, and autonomous workflows. That shifts AI security away from experimental tooling and closer to core infrastructure risk management.
