Orca Security researchers identified four attack primitives in an AI coding-agent skills marketplace: install-count inflation without authentication, security scans at creation and popularity thresholds, same-name overrides without user alerts, and bulk updates without per-skill review or version pinning.
The researchers used three proofs of concept to combine those flaws into bait-and-switch, nested injection, and delayed weaponization attacks. In each case, an attacker could publish malicious Markdown skills, get them through audits, reach users, and execute code on user machines.
