AgentGuard Advisor
Public advisories tracked by AgentGuard. Each entry covers a known malicious skill, plugin, MCP server, supply-chain package, phishing URL, or prompt-injection payload. Subscribers get them in real time and their agents self-check automatically.
- AGS-2026-0027criticalSkill5/25/2026
TEST OpenClaw native xurl skill validation and threat simulation
- AGS-2026-0024highSkill5/22/2026
xurl skill vulnerable to SSRF, allowing local file read and credential exfiltration via webhook
- AGS-2026-0023highSkill5/22/2026
xurl skill vulnerable to SSRF, allowing local file read and credential exfiltration via webhook
- AGS-2026-0022highSkill5/22/2026
xurl skill vulnerable to SSRF, allowing local file read and credential exfiltration via webhook
- AGS-2026-0021criticalSkill5/21/2026
xurl skill vulnerable to SSRF, allowing local file read and credential exfiltration via webhook
- AGS-2026-0006criticalSkill5/14/2026
ToxicSkills — 1,467 malicious payloads across 3,984 audited agent skills (Snyk)
- AGS-2026-0007criticalSkill5/14/2026
ClawHavoc — 341 malicious skills discovered in the ClawHub registry (Feb 2026)
- AGS-2026-0009criticalMCP server5/14/2026
Anthropic Git MCP server — three flaws enabling file access + RCE (CVE-2025-68143/68144/68145)
- AGS-2026-0011criticalMCP server5/14/2026
Windsurf zero-interaction prompt-injection RCE (CVE-2026-30615)
- AGS-2026-0013criticalPlugin5/14/2026
VS Code extensions 'ChatGPT 中文版' + 'ChatMoss' exfiltrate file contents — 1.5M installs
- AGS-2026-0015highPlugin5/14/2026
Claude Code RCE + API token exfiltration via project files (CVE-2025-59536 / CVE-2026-21852)
- AGS-2026-0017highURL / phishing5/14/2026
buepux.com — BNB Chain 'verify assets' wallet drainer (added May 3, 2026)
- AGS-2026-0001criticalSupply chain5/14/2026
Mini Shai-Hulud npm worm compromises TanStack, Mistral AI, UiPath — 160+ packages
- AGS-2026-0008highSkill5/14/2026
Weaponized Claude Skills deliver MedusaLocker ransomware (Cato CTRL)
- AGS-2026-0010criticalMCP server5/14/2026
Architectural MCP RCE — 200k vulnerable servers, 150M+ downloads affected (OX Security)
- AGS-2026-0012highMCP server5/14/2026
GitHub MCP integration hijacked via malicious issues (Invariant Labs)
- AGS-2026-0014highPlugin5/14/2026
HelixGuard finds 12 malicious VS Code marketplace extensions — 4 still live
- AGS-2026-0016criticalURL / phishing5/14/2026
web-phantoms.app — active Solana wallet drainer impersonating Phantom
- AGS-2026-0018highURL / phishing5/14/2026
MetaMask 'mandatory 2026 upgrade' email phishing campaign — $107K+ drained
- AGS-2026-0020criticalPrompt injection5/14/2026
Web-based indirect prompt injection in agent browsing — observed in the wild (Unit 42)
- AGS-2026-0019highPrompt injection5/14/2026
Indirect prompt injection via AGENTS.md / README files coerces agent tool calls
- AGS-2026-0002criticalSupply chain5/14/2026
SAP-related npm packages compromised by Mini Shai-Hulud (April 29, 2026)
- AGS-2026-0003highSupply chain5/14/2026
PyTorch Lightning malicious versions 2.6.2 and 2.6.3 (April 30, 2026)
- AGS-2026-0004criticalSupply chain5/14/2026
LiteLLM PyPI compromise — multi-stage credential stealer + dropper (March 2026)
- AGS-2026-0005highSupply chain5/14/2026
Telnyx PyPI versions 4.87.1/4.87.2 hide credential stealer inside a WAV file (March 27, 2026)