Thousands of Malicious AI Skills Discovered, Threatening Data and Systems
ESET's latest report reveals over 25,000 malicious AI skills designed to steal data, execute malware, and manipulate AI agents, significantly expanding the AI attack surface.

ESET's H1 2026 Threat Report has uncovered a significant surge in malicious AI skills, with researchers identifying over 25,000 suspicious and more than 3,000 outright malicious skills among nearly 900,000 analyzed. This alarming discovery highlights the rapidly evolving threat landscape surrounding artificial intelligence agents, which are increasingly being weaponized by adversaries.
The analysis, conducted between March and May 2026, saw a dramatic increase in the number of unique AI skills scanned, jumping from 60,000 to nearly 900,000. Concurrently, suspicious skills grew from approximately 10,000 to over 25,000, while malicious skills saw a steep rise from around 600 to more than 3,000. These skills are designed to exploit the inherent capabilities of AI agents, such as web browsing, tool execution, and command processing, turning them into vectors for cyberattacks.
Researchers identified a range of dangerous capabilities embedded within these malicious skills. These include the ability to execute arbitrary commands on a compromised system, access and exfiltrate sensitive files, download and run third-party tools, steal credentials, inject malicious code, and employ obfuscation techniques to evade detection. While these capabilities can serve legitimate purposes, their inclusion in malicious skills allows attackers to automate reconnaissance, deploy malware, manipulate AI agent behavior, and gain unauthorized access to critical systems.
Beyond direct malicious intent, the report also flagged other concerning skill types. These include "red-team" skills, designed to mimic offensive security operations, self-modifying skills that can alter their own code to evade defenses, and "online purchasing" skills, potentially used for illicit transactions. Worryingly, some "security scanner" skills were found to perform only superficial checks, potentially providing users with a false sense of security.
Anton Mäčko, an ESET Malware Analyst, commented on the findings, stating, "AI skills can enable a wide range of agentic AI abuses, from automated reconnaissance and red-team-style attacks to spam generation, malware modification, and distribution. Adversaries will likely keep testing these approaches to bypass controls, including by obfuscating intent or using region-specific, niche, or constructed languages." This suggests a continuous cat-and-mouse game between attackers and defenders in the AI domain.
The report also detailed the expanding reach of techniques like ClickFix, which leverages fake error messages and verification prompts to trick users into executing malicious commands. Detections of ClickFix attacks surged by 108% between H2 2025 and H1 2026, spreading beyond fake CAPTCHAs to impact macOS, WordPress sites, browser extensions, AI-themed help pages, and enterprise authentication workflows. New variants such as "AI-fix," "CrashFix," and "ConsentFix" further demonstrate the adaptability of these social engineering tactics.
Furthermore, the report highlighted the record-breaking rise of QR code phishing (quishing), with approximately 11% of all detected phishing emails containing QR codes, leading to credential theft websites. Generative AI has also made its debut in Android malware with PromptSpy, which uses Google's Gemini model to manipulate device interfaces for persistence and data theft. Ransomware groups are also intensifying their use of EDR killers to disable security software before deploying their payloads, indicating a multi-faceted and aggressive threat landscape.
This comprehensive report from ESET underscores the urgent need for enhanced security measures and vigilance as AI technologies become more integrated into daily workflows and enterprise operations. The proliferation of malicious AI skills presents a new frontier in cyber threats, demanding innovative defense strategies to protect against data breaches, malware infections, and system compromises.