# 1. The AI Skill Supply-Chain Crisis

AI agent “skills” are executable supply-chain artifacts.

Most skill marketplaces lack standardized security vetting before installation.

Threat actors publish malicious skills disguised as:

* Trading bots
* Utility tools
* Productivity assistants
* Market data scrapers

These skills can:

* Steal credentials
* Drain wallets
* Exfiltrate environment variables
* Install backdoors
* Hijack agent behavior

Security failures happen **at install time**, not after. Post-install detection is too late.