ESET flagged more than 3,000 malicious AI skills out of nearly 900,000 analyzed. Here is how to vet AI agents and add-ons before your team installs them -- and what to do about the ones already running.
On July 8, 2026, Help Net Security covered ESET's AI Threat Trends report, and one number should stop every business owner mid-scroll: out of nearly 900,000 AI skills analyzed, ESET flagged more than 25,000 as suspicious and over 3,000 as outright malicious. Malicious AI skills are no longer a research curiosity. They are downloadable add-ons that employees bolt onto AI assistants and agents the same way they once installed browser extensions: no review, no approval, and full access to whatever the employee can touch.
The trend line is worse than the headline. According to the same ESET report, the number of unique skills scanned grew from 60,000 in March 2026 to roughly 900,000 by May, while confirmed malicious skills jumped from about 600 to more than 3,000 over the same window. That is a fivefold increase in malicious add-ons in the space of one spring.
If your team is experimenting with AI agents -- and in plenty of Texas offices they are, whether you sanctioned it or not -- you need a vetting process before the next install, not after the first incident. Here is what the research actually says, and what to do about it this quarter.
A skill is a packaged capability that extends an AI assistant or agent: connect it to your files, your email, your browser, a third-party service, or a command line. That convenience is exactly why the malicious ones are dangerous. Per ESET's analysis, the malicious skills it identified were built for:
Stack those capabilities on top of an agent that already carries your employee's permissions and you have a near-perfect insider threat that nobody hired. ESET's researchers note these skills can drive agentic abuse end to end, from automated reconnaissance and red-team-style attacks to spam generation. The same report tracked PromptSpy, the first known Android malware to use generative AI during execution -- it leans on Google's Gemini model to read what is on screen and generate the gestures that keep it persistent on infected devices. The attacker side of this is maturing fast, and it is not slowing down for anyone's approval workflow.
Here is the blunt answer: an unvetted AI plugin is not safe, because you have no idea what it does with the access it is granted. The industry already ran this experiment once with browser extensions, and it ended with extension-based data theft becoming a standard attack technique. AI browser extension data theft in 2026 follows the same playbook with higher stakes, because an AI agent does not just read the page. It acts. It sends the email. It moves the file. It runs the command.
Microsoft's security team made this point directly in a June 30, 2026 post on securing AI agents: the risk profile changes fundamentally once agents plan multi-step tasks and execute actions on a user's behalf. Microsoft's researchers detailed tool poisoning against the Model Context Protocol (MCP), where an attacker quietly edits a tool's description -- its metadata -- and in doing so rewrites the agent's instructions without ever touching the agent itself. Their conclusion: a change to tool metadata deserves the same scrutiny as a change to a system prompt, because whoever controls a connector's metadata influences every agent that relies on it.
That is the heart of third-party AI connector risks. Every connector, plugin, and skill is a trust boundary. You are not just trusting the tool as it exists today; you are trusting whoever can push an update to it tomorrow. And the surface is exploding: according to IDC figures cited in that same Microsoft post, active AI agents in enterprises are projected to grow from 28.6 million in 2025 to more than 2.2 billion by 2030.
You might assume this is an enterprise problem. The data says otherwise. Check Point's AI Security Report 2026 found organizations averaging around 10 AI applications in monthly use, many of them unapproved, and the share of prompts carrying high data-exposure risk doubled from 2% to 4% year over year. The same report found that detections of the longer malicious prompt payloads typical of indirect prompt injection rose roughly fivefold between March and May 2026 -- attackers hiding instructions in content that an AI agent will read and obey.
Shadow AI risk for small business is arguably worse than it is for the enterprise, for one simple reason: there is no security team standing between an eager employee and the install button. Your bookkeeper connects an AI agent to the accounting inbox because it saves an hour a day. Your project manager wires one into the file share. Nobody logged it, nobody reviewed it, and every one of those tools now operates with the full access of the person who installed it. That is the pattern we keep running into across Houston and Austin area businesses.
You cannot ban your way out of this. Employees adopt AI tools because the tools work, and a blanket prohibition just drives the behavior underground where you cannot see it. The goal is control, not prohibition. Three moves get you there.
You cannot govern what you cannot see. Start by discovering which AI tools, extensions, agents, and connectors are already running across your endpoints and SaaS accounts. Then flip the default: AI tool allowlisting for a Texas business works exactly like application allowlisting -- deny by default, approve by exception, and give employees a fast lane to request new tools so they do not route around the process. Pair it with privileged access management so that even an approved tool that turns hostile cannot reach admin credentials or move laterally through your network.
An AI agent skill vetting policy does not need to be a forty-page binder. One page, consistently enforced, beats a thick document nobody reads. Before any skill, plugin, or connector gets approved, it should clear six checks:
Vetting reduces risk; it does not eliminate it. A skill that was clean at install can turn malicious with a single update, which is why both ESET and Microsoft emphasize watching agent behavior, not just approving agents. This is where managed detection and response earns its keep: 24/7 automated monitoring of endpoints and identities that flags when a process starts loading credentials or executing commands it has never touched before -- exactly the behaviors ESET found baked into malicious skills.
The math is not complicated. Malicious AI skills quintupled in a matter of months. Enterprise agent counts are projected to grow by orders of magnitude. Your employees are installing this stuff today. The businesses that come through fine will be the ones that put a vetting gate in place while the number was 3,000 -- not the ones that start asking questions after their credentials show up for sale.
LayerLogix builds AI security and governance programs for Texas businesses from our headquarters in The Woodlands and our Round Rock office serving greater Austin: tool inventories, allowlisting, vetting policies, and the monitoring to back them up. If you want to know which AI tools are already running in your environment -- and which ones should not be -- book a meeting or start with our free IT assessment. It is a lot cheaper than finding out the hard way.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.