LLM agent plugins have no security review — and the framework itself makes them impossible to sandbox

A new open standard lets AI agents download specialized skills from community marketplaces without mandatory security checks. This means malicious or buggy code can run inside an agent with full access to whatever the agent can access — your data, your systems, your other applications.

Agent Skills is already in use across multiple platforms and has community marketplaces. The paper identifies seven categories of attack — from poisoned skills to privilege escalation — and shows that five confirmed security incidents have already happened. The core problem is architectural: the framework has no boundary between data and instructions, uses a single approval model that grants permanent trust, and has no mandatory marketplace review. These aren't bugs you can patch. They're design choices that would require rebuilding the standard to fix. Right now, anyone deploying agents with marketplace skills is running code they haven't audited, from sources they haven't vetted, with no way to revoke trust after deployment.