OWASP Agentic Skills Top 10: A Security Guide to AI Agent Skills Risks
The OWASP Agentic Skills Top 10 (AST01-AST10) names the risks in AI agent skills. This guide walks every risk and how to govern the skills layer.
Research, product, and perspective on governing AI agents, MCP servers, and everything loaded into them.
The state of enterprise AI security in 2026: agents in production, MCP everywhere, skills as supply chain, and what security teams should do about it.
The OWASP Agentic Skills Top 10 (AST01-AST10) names the risks in AI agent skills. This guide walks every risk and how to govern the skills layer.
Enterprise AI security spans agents, MCP, skills, browser AI, identity, and supply chain. This complete guide maps the attack surface, controls, and program roadmap.
Shadow AI detection combines network, CASB, endpoint, browser, and identity signals to find unsanctioned AI. Here are the techniques, blind spots, and best practices.
Shadow AI is the unsanctioned AI tools, agents, and MCP servers employees use without security review. Here is what it is, why it emerged, and how to govern it.
A curated reference of the MCP servers developers actually use, the access each one grants, and what a security team should verify before allowing them.
A categorized reference of the AI apps used in enterprises today - grouped by function, with the primary data-exposure risk each category carries.
AI agent skills are markdown plus code that load into an agent and run with its full permissions. This primer explains the security surface and how to see it.
AI agent security protects autonomous AI agents from misuse and attack. This practical guide covers the threat model and a control stack across the agent lifecycle.
AI discovery finds every AI agent, MCP server, and artifact in your environment. This enterprise buyer's guide covers evaluation criteria, build vs buy, and vendor questions.
A reference to the most common AI browser extensions and their real security risks - broad page access, third-party data flows, and prompt injection.
SkillJacking takes over abandoned dependencies an agent skill relies on, seizing control of code that runs inside thousands of AI agents without ever touching the skill itself.
AI identity security is the practice of giving AI agents scoped, verifiable, short-lived identities. Here is what those identities are and how to govern them.
MCP security is the practice of governing how AI agents connect to tools and data through MCP servers. Here is what MCP is and why it is a security surface.
The permissions AI agents, MCP servers, and skills request most - filesystem, shell, network, OAuth scopes, secrets, browser - and how to scope each to least privilege.
Malicious agent skills combine hidden code payloads with natural-language instruction attacks. A USENIX 2026 study of 98,380 skills confirmed 157 malicious ones carrying 632 vulnerabilities.
AI access control decides what agents can do and reach. This guide covers RBAC, ABAC, policy-based authorization, JIT access, and least privilege for AI.
An AI governance framework for enterprises built on four pillars - visibility, policy, enforcement, and audit - mapped to NIST AI RMF, ISO 42001, and the EU AI Act.
AI OAuth risk explained: how AI agents and MCP turn consent screens, tokens, and grants into a new attack surface, and the controls that contain it.
A practical enterprise playbook for vetting AI agent skills before they run on your fleet, plus why one-time approval fails and continuous re-vetting is mandatory.
Browser AI security covers the risks of AI extensions, copilots, and agentic browsers - and the controls that keep corporate data from leaking through them.
Shadow AI by department: a qualitative look at where unsanctioned AI shows up across engineering, marketing, sales, finance, HR, legal, and support.
Least privilege for agent skills means scoping each skill's capability, cleaning its metadata, and isolating it from the host - because a skill runs with the agent's full permissions.
LLMjacking is credential theft aimed at your model bill: attackers steal cloud LLM keys and run inference at your expense. Here is how to see it and stop it.
Slopsquatting weaponizes LLM package hallucinations: attackers pre-register the fake names your AI assistant invents. Here is how it works and how to stop it.
Agent-to-agent security is about the trust boundaries between agents. Here is how A2A systems fail - transitive injection, confused deputy, weak auth - and the controls that hold.
Computer-use and browser agents act on untrusted web content with real mouse, keyboard, and screen access. Here is the lethal trifecta at the UI layer and how to contain it.
Shadow AI data exposure is now the top enterprise exfiltration channel. What employees paste into ChatGPT, Claude, and Copilot, by the numbers, and why DLP misses it.
Four production AI agent exfiltration disclosures in one week proved the lethal trifecta is a config property, not a bug. Why Notion, Superhuman, and Cowork fell.
Secrets management for AI agents breaks the human-in-the-loop model. Here is why the .env file must die and the five practices that replace it.
A practitioner's guide to AI agent monitoring: collecting runtime signals, building behavioral baselines with SPC/EWMA, and detecting drift before it becomes a breach.
An OWASP LLM security controls checklist mapping LLM01-10 and Agentic ASI01-10 to preventive, detective, and agent and MCP-layer monitoring controls.
OpenClaw security crisis explained: CVE-2026-25253 one-click RCE, the ClawHavoc skill supply chain, the Moltbook leak, and how to govern shadow AI agents.
OAuth for MCP servers explained: how the 2026 MCP authorization spec uses OAuth 2.1, PKCE, RFC 8707 resource indicators, and why token passthrough is forbidden.
A CISO's guide to non-human identity governance: the NHI lifecycle, OWASP NHI Top 10, real breaches, and why AI agents and MCP clients break legacy models.
The lethal trifecta for AI agents - private data, untrusted content, external comms - turns prompt injection into data theft. Break the chain by removing one leg.
Least privilege for AI agents means scoped, time-limited, per-session credentials. Here is why most agent identities are over-privileged and how to fix it.
Indirect prompt injection hides attacker instructions in content an AI agent reads. Why it is unpatchable, how it hits MCP and RAG, and the controls that hold.
How to build an MCP server registry that vets, pins, and governs Model Context Protocol servers at scale, plus the lifecycle and controls a security team needs.
A step-by-step guide to building an AI agent inventory: the five discovery domains, the registry schema, and the risk tiers security teams need to govern agents and MCP.
GDPR for AI agents in practice: how lawful basis, consent, purpose limitation, and the right to erasure apply when an autonomous agent processes personal data.
DLP for AI agents needs more than regex. Learn why legacy data loss prevention misses prompts and MCP calls, and what AI-native inspection and ABAC require.
ShareLeak (CVE-2026-21520) and PipeLeak show how Copilot Studio prompt injection and Agentforce form fields exfiltrate private data through the agent's own tools.
AI agent memory poisoning explained: how attackers plant persistent instructions in agent memory that survive resets and re-fire across future sessions, and how to defend.
An AI agent incident response playbook: detection signals, kill switch vs scoped safe mode, pause vs revoke, blast-radius mapping, and evidence preservation.
An AI agent audit trail must log intent and action, not just tool calls. Learn the schema, immutability, and MCP fields a security team needs for forensics.
An AI acceptable use policy that reduces shadow AI instead of pushing it underground: tiered tool taxonomy, data classification, MCP approval, real enforcement.
A security team's breakdown of the OWASP Top 10 for LLM applications (2025): the full taxonomy, what changed, and how each risk maps to AI agents and MCP servers.
The OWASP Top 10 for Agentic Applications (ASI01-ASI10, 2026) explained: what each agent risk means, how it maps to MCP servers, and how to operationalize it.
OWASP AIVSS scores agentic AI vulnerabilities by extending CVSS with an agentic uplift. A guide to the taxonomy, the v0.8 formula, and how to operationalize it.
A practical guide to the NIST AI RMF (Govern, Map, Measure, Manage) for security teams, applied to autonomous AI agents and MCP servers across the fleet.
MITRE ATLAS is the adversary-TTP knowledge base for AI systems. This guide maps its tactics and techniques to real agent and MCP server attacks for 2026.
A practical, evergreen guide to ISO 42001 AI governance: the AIMS structure, Annex A controls, and how to operationalize them for AI agents and MCP servers.
A security leader's guide to the IBM AI Risk Atlas: its taxonomy, its agentic risk items, and how to operationalize it for AI agents and MCP servers.
A practical guide to the EU AI Act for AI agents: risk tiers, provider and deployer obligations, the 2025-2027 timeline, and what security teams must monitor.
A practical guide to the CSA AICM: its 18 domains, 243 control objectives, and how its agentic controls govern AI agents and MCP servers.
A reference guide to the Cisco AI security framework: its four-layer threat taxonomy, embedded MCP, A2A, and supply-chain models, and what it means for agents.
Claude Code, Codex, and Cursor each gate agent actions differently: deny-first rules, an OS sandbox, and an allowlist plus LLM classifier. Side by side.
What Cursor leaves on the endpoint: .cursorrules and .cursor/rules/, ~/.cursor/mcp.json servers, and Open VSX extensions that drift off any allowlist.
AI supply-chain attacks now poison the agent config layer. Sonatype found 454,600+ malicious packages in 2025, 99% on npm. A defender's guide.
Securing AI coding agents and CLIs in 2026: with 84% developer adoption, the inventory, runtime-governance and audit playbook for security teams.
Securing LLM gateways: the 2026 guide to the LiteLLM, vLLM, Ollama and LightLLM attack surface - with 175,000 Ollama hosts already exposed publicly.
Cursor admins can enforce Privacy Mode org-wide and re-verify it every 5 minutes, but the control plane stops at the local MCP and extension layer.
One framework to govern AI coding assistants: inventory, set policy, and audit Claude Code, OpenAI Codex, and GitHub Copilot across your fleet.
CVE-2026-46519 (CVSS 8.8): mcp-server-kubernetes enforces tool limits at tools/list, not tools/call, so any client can run kubectl_delete. Fix in v3.6.0.
Cursor auto-run lets the agent run shell and apply edits unattended. Why the allowlist, denylist, and file-delete checkbox route around - and what holds.
A team GitHub Copilot code review workflow: inline vs chat, validating suggestions, layering scanning, and a 90-day audit of every Copilot endpoint.
A practitioner guide to governing GitHub Copilot: org policies, the public-code filter, content exclusion limits, and the 180-day audit log.
When Codex runs danger-full-access with approval_policy never, the sandbox and prompts are gone, network is on, and one trust click is your only control.
MCP server security in 2026: the attack surface, the CVE wave, MCP trust tiers, and how to inventory and govern every MCP server across your fleet.
CVE-2026-42271: a LiteLLM RCE (CVSS 8.7) in the MCP-preview endpoints, chained with CVE-2026-48710 for unauthenticated RCE. Fixed in LiteLLM 1.83.7.
OpenAI Codex runs in three places with three different sandboxes. In cloud, agent-phase internet is off by default; on the CLI it depends on one TOML key.
OpenAI Codex governance for a fleet: baseline sandbox/approval floor, repo trust tiers, secret handling, and the audit requirements.toml leaves open.
The Hades wave shipped 37 malicious wheels across 19 PyPI packages using *-setup.pth startup hooks that run a Bun credential stealer on every Python run.
Deploying Claude Code across a fleet: the five-layer settings hierarchy, vetting MCP servers across three scopes, CLAUDE.md, and the visibility gap.
OpenAI Codex isolates the agent phase with no network by default and strips secrets before it runs-but the fleet still owns approval drift and audit.
What we find auditing Claude Code on managed laptops: settings.json allow/deny drift, registry MCP servers, plugins, skills, and PreToolUse hooks.
A practitioner guide to securing OpenAI Codex: pick sandbox plus approval combinations, why secrets are dropped before the agent phase, and a hardening checklist.
Claude Code's --dangerously-skip-permissions skips the prompts, not PreToolUse hooks, deny rules, or the rm -rf circuit breaker. What CI loses.
A practitioner guide to Claude Code permissions hardening: allow/deny rules, the four path anchors, a PreToolUse deny hook, and a 12-item checklist.
GitHub Copilot best practices for security teams: prompting, validate-before-implement, CodeQL scanning, the 65-lexeme public-code filter, and governance.
How Claude Code evaluates permissions: rules fire deny then ask then allow, and a PreToolUse hook can never override a matching deny or ask.
A practitioner guide to OpenAI Codex use cases - PR review, refactors, migrations, security scans - and the sandbox and approval settings each one needs.
The Miasma 'Phantom Gyp' npm worm abuses a 157-byte binding.gyp to run code at install, hitting 57 packages across 286+ versions in under two hours.
How Claude Code works for security teams: the agentic loop, five tool categories, and governing the PreToolUse hook with a 90-day audit trail.
Why we built Anomity: AI agent adoption outran governance, and the endpoint is the layer Network, EDR, DLP, and GRC were never designed to see.
claude-code-action before v1.0.94 (CVSS 4.0 7.8): a [bot] actor check let attackers bypass the human gate and exfiltrate CI secrets. Patched in 4 days.
CVE-2026-23744 is a critical RCE in MCPJam Inspector ≤ 1.4.2: it binds 0.0.0.0 and a crafted request triggers an MCP server install and code execution.
TrapDoor, disclosed May 2026, spread credential-stealing malware across 34+ packages and 384+ versions on npm, PyPI, and Crates.io and poisoned AI agents.
CVE-2026-47101 (CVSS 8.8): a LiteLLM internal_user can mint a key with admin-only allowed_routes and escalate to proxy_admin. Fixed in LiteLLM 1.83.14.
CVE-2026-47102 (CVSS 8.8): a LiteLLM org_admin can POST /user/update to set their own user_role to proxy_admin for full proxy control. Fixed in 1.83.10.
CVE-2026-46701: Network-AI's MCP SSE server defaults to an empty secret, so auth passes for everyone, and wildcard CORS lets any page call its 22 tools.
CVE-2026-48710 (BadHost) is a Starlette host-header auth bypass before 1.0.1, reaching FastAPI, vLLM, LiteLLM, and MCP servers. Fixed in Starlette 1.0.1.
Comment and Control prompt injection turned three CI coding agents into credential thieves via PR comments; the Anthropic finding rated CVSS 9.4 Critical.
CVE-2026-35394: Mobile MCP intent injection before v0.0.50 passes any URI scheme to Android intents, enabling tel: USSD codes, calls, and SMS.
How the Anomity Endpoint Sensor discovers every AI agent, MCP server, extension, and secret on an endpoint, then classifies and governs them from the cloud.
CVE-2026-45321: the Mini Shai-Hulud wave hit 42 @tanstack packages across 84 versions plus 170+ npm/PyPI packages to steal CI/CD and cloud secrets.
GHSA-wvr4-3wq4-gpc5: MCP Connect's /bridge endpoint is unauthenticated by default in mcp-bridge up to 2.0.0, letting any network attacker run OS commands.
CVE-2026-7482 (Bleeding Llama) is a CVSS 9.1 unauthenticated heap read in Ollama before 0.17.1 that leaks prompts and API keys from ~300k servers.
GHSA-wpqr-6v78-jr5g (CVSS 10.0): an unprivileged PR or issue could load attacker-controlled .gemini config and run shell commands on a CI runner.
The recurring risks hiding in AI agent configs on managed endpoints: plaintext secrets, blanket permission grants, unvetted MCP servers, and off-allowlist extensions.
CVE-2026-33626: an SSRF in LMDeploy's vision image loader, exploited against honeypots 12 hours after disclosure. Fixed in 0.12.3 - what to check.
CVE-2026-42208 is a CVSS 9.3 pre-auth SQL injection in LiteLLM Proxy 1.81.16-1.83.6 that reads upstream provider keys. Exploited in 36h; fix in 1.83.7.
MCP By Design (OX Security): the STDIO transport runs any process command on the host, tying ~7,000 public servers and 10+ CVEs to one root cause.
nginx-ui MCP authentication bypass: CVE-2026-33032 (CVSS 9.8) lets any network attacker invoke every MCP tool via /mcp_message. Fixed in nginx-ui 2.3.4.
PolinRider DPRK npm supply chain campaign compromised 1,951 GitHub repositories across 1,047 owners by appending obfuscated JavaScript to config files.
CVE-2026-5530: an SSRF in Ollama through 0.18.1. A crafted registry URL on the Model Pull API forces outbound requests. No vendor fix; exploited.
OpenAI Codex ran shell from an unsanitized Git branch name, hidden behind 94 U+3000 spaces, capturing the GitHub access token. Fixed January 2026.
CVE-2026-27893 is a CVSS 8.8 RCE in vLLM 0.10.1 through before 0.18.0: hardcoded trust_remote_code=True overrides the operator opt-out. Fixed in 0.18.0.
CVE-2026-22778 is a CVSS 9.8 pre-auth RCE chain in vLLM 0.8.3-0.14.0: a video_url leaks a heap address, then a JPEG2000 overflow runs code. Fix: 0.14.1.
Malicious LiteLLM releases 1.82.7 and 1.82.8 shipped a .pth file that ran on every Python startup to harvest credentials. What to check on your fleet.
GHSA-vrxg-gm77-7q5g: Windows-MCP before v0.7.5 binds an unauthenticated HTTP transport on port 8000 with wildcard CORS, yielding remote PowerShell RCE.
AI agents and MCP servers are adopted bottom-up, carry their own permissions, and report to no one in security. They are the new shadow IT.
WeKnora unauthenticated RCE: CVE-2026-30861 (CVSS 9.9) bypasses the MCP STDIO command allowlist via npx -p node. Patched in WeKnora v0.2.10.
EclecticIQ tracked a March 2026 SEO-poisoning campaign of 30+ domains pushing fake Gemini CLI and Claude Code installers that ran a fileless stealer.
CVE-2025-59536 and CVE-2026-21852: a cloned repo's .claude/settings.json ran code and leaked the Anthropic API key before the Claude Code trust prompt.
mcp-atlassian RCE: CVE-2026-27825 (MCPwnfluence) chains unauthenticated SSRF and path traversal to root code execution in versions below 0.17.0.
CVE-2026-22688: an authenticated WeKnora user controls the MCP STDIO command/args, gaining process execution on the server. Patched in v0.2.5.
On February 17, 2026 an attacker stole the Cline CLI's npm publish token via a prompt-injection-and-cache-poisoning chain in its GitHub Actions workflows and shipped an unauthorized [email protected] release (with an openclaw-installing postinstall script). The VS Code extension was not affected. No CVE (tracked as GHSA-9ppg-jx86-fqw7).
CVE-2026-26220 is a CVSS 9.3 unauthenticated pickle deserialization RCE in LightLLM 1.1.0 PD WebSockets. A broken empty-string nonce disabled the check.
CVE-2026-26268 (CVSS 9.9): a Cursor sandbox escape let a malicious agent write Git hooks, so a routine Git op ran code outside the sandbox. Fixed in 2.5.
CVE-2026-22252: a command injection in LibreChat's MCP STDIO transport lets any authenticated user run shell commands as root. Fixed in v0.8.2-rc2.
GreyNoise's Ollama honeypots logged 91,403 attack sessions (Oct 2025-Jan 2026) probing 73+ LLM endpoints and abusing model-pull SSRF. 80,469 in 11 days.
Shai-Hulud 2.0, identified November 24 2025, is a self-replicating npm worm that backdoored 796 packages and runs a credential stealer during preinstall.
CVE-2025-62164 is a memory-corruption flaw in vLLM 0.10.2 to before 0.11.1 that deserializes prompt-embeds via torch.load(), enabling DoS and maybe RCE.
CVE-2025-53773: indirect prompt injection makes GitHub Copilot write chat.tools.autoApprove into .vscode/settings.json, flipping VS Code to YOLO-mode RCE.
CVE-2025-54136 (CVSS 7.2): MCPoison tied Cursor's MCP approval to a server name, not its contents - a later swap ran without re-approval. Fixed in 1.3.
CVE-2025-54135 (CVSS 8.5): CurXecute let prompt injection write Cursor's .cursor/mcp.json and auto-run commands before approval. RCE in Cursor 1.2.1.
Tracebit found Google Gemini CLI before 0.1.14 ran hidden chained shell commands past its allowlist, exfiltrating env vars two days after release.
GHSA-7g7f-ff96-5gcw: a wiper prompt shipped in Amazon Q Developer for VS Code 1.84.0 told the agent to delete home files and AWS resources. Fix: 1.85.0.
CVE-2025-6514: an mcp-remote command injection (CVSS 9.6) lets an untrusted MCP server run OS commands on the connecting client. Fixed in 0.1.16.
CVE-2025-49596: an unauthenticated CVSS 9.4 RCE in MCP Inspector below 0.14.1 (credited to Tenable Research) - a malicious webpage runs code on a developer host.
Invariant Labs' Tool Poisoning Attack (April 1, 2025): hidden instructions in MCP tool descriptions steer the model; a 2025 academic survey of 1,899 open-source MCP servers found ~5.5% carried tool poisoning.
CVE-2024-6587 is a CVSS 7.5 SSRF in LiteLLM through 1.38.10: a caller-set api_base made the proxy forward the provider key. Fixed in 1.44.8.