Key Takeaways
- Inference cost collapse (280x in 3 years, H100 spot down 64-75%) makes always-on agents economically viable, removing the primary constraint on agent proliferation
- Sub-10B reasoning models running on 16GB consumer hardware enable agents to operate on commodity hardware, further reducing deployment barriers
- 11.9% of ClawHub agent skills are malicious (341 out of 2,857); 100% of confirmed malicious skills use dual-vector attack combining code exploit + prompt injection
- ClawHub publishing barrier is near-zero: one-week-old GitHub account + SKILL.md file required; no code signing, security review, or sandboxing
- The agent economy and the agent attack surface are growing in lockstep: economic viability for legitimate agents directly enables economic viability for threat actors (Atomic Stealer costs $500-1,000/month, funded by single credential theft)
The Inference Deflation Driver: Always-On Agents Become Economically Viable
The foundational economic shift is straightforward: inference cost deflation (280x in 3 years) removes the primary constraint on continuous agent operation. An always-on agent running on an H100 GPU instance cost $7,200/month in Q4 2024; the same agent costs $2,150/month by Q1 2026—a 70% reduction in monthly operating cost.
But the more significant inflection is the shift to sub-10B reasoning models on consumer hardware. AMD's ReasonLite-0.6B achieves 75.2% AIME accuracy on 16GB consumer hardware, enabling agents to operate without GPU clusters at all. The amortized inference cost for a capable reasoning agent approaches zero marginal cost at scale.
This economic viability drives adoption. Deloitte projects inference spending growing from $106B in 2025 to $255B by 2030. Embedded in that projection is explosive growth in agent deployments—agents that automate customer support, financial analysis, code review, and countless domain-specific tasks.
But the same forces that make agents economically viable also make the agent attack surface economically viable for threat actors.
The Dual Attack Surface: Malicious Skills + Agent Credential Theft
The ClawHub security audit reveals the structural vulnerability of open agent skill marketplaces. Koi Security identified 341 malicious ClawHub skills (11.9%) with 335 traced to a coordinated ClawHavoc campaign delivering Atomic Stealer (AMOS) malware. Snyk's ToxicSkills audit found 13.4% of skills (534 out of 3,984) contain critical security issues.
The attack surface has two distinct vectors:
Vector 1: Malicious Agent Skills with Dual-Vector Attack
100% of confirmed malicious skills employ both malicious code AND prompt injection simultaneously. This dual-vector approach bypasses both traditional code security tools and AI safety mechanisms:
- Malicious code component: Credential theft, file system access, reverse shell backdoors, exfiltration of agent configuration to external webhooks
- Prompt injection component: Instructions that manipulate the agent's reasoning and action selection, enabling autonomous malicious behavior that the agent's reasoning system cannot distinguish from legitimate instructions
The typosquat campaign demonstrates attacker sophistication and persistence. The "clawhub" skill accumulated 7,743 downloads before removal. The attacker immediately returned with "clawdhub1" variant, then with "clawdhub2"—adapting faster than the ClawHub community could respond.
Vector 2: Agent Credential Theft via Infostealer Malware
The first documented AI agent identity theft represents a new threat class: infostealers that specifically target agent configuration files. Security researchers detected exfiltration of:
- openclaw.json — gateway tokens and authentication credentials
- device.json — private cryptographic keys
- soul.md — AI personality definition, behavioral instructions, and conversation logs
This is the beginning of a new malware category: specialized "AI-stealers" that target agent configurations alongside traditional credential stealers targeting browser passwords and email accounts.
The Agent Economy Paradox: Proliferation Multiplies Attack Surface
The paradox is stark: the same economic forces that drive agent proliferation directly enable threat actors to profitably attack agents.
Consider the ROI for a threat actor running Atomic Stealer (AMOS) malware. A legitimate agent credential theft generates access to:
- Agent gateway tokens (enables impersonation and autonomous execution)
- Cryptographic keys (enables signing malicious actions as authentic)
- Personality files (enables understanding agent behavior and decision-making, then manipulating it)
- Connected system access (agents typically have API keys and credentials for downstream systems they orchestrate)
A single successful agent credential theft can yield access to connected databases, payment systems, or enterprise APIs. The ROI on credential theft is orders of magnitude higher for agent compromise than for traditional device compromise (which yields browser cookies and email access).
Atomic Stealer costs $500-1,000/month to operate. For a threat actor, that investment is trivially profitable if a single successful agent compromise yields $50K+ in downstream access value. The equation is inverted from traditional malware economics: for agents, the attack is more profitable than for PCs.
Deloitte projects inference spending at 75-80% of all AI compute by 2030. Embedded in that projection is exponential growth in deployed agents. More agents deployed = larger attack surface. Larger attack surface = higher probability of profitable attacks. Higher profitability of attacks = more sophisticated threat actors entering the space.
This is the same growth pattern that occurred with mobile malware (2008-2015), where the platform's adoption outpaced security infrastructure maturity by 5-7 years. But the blast radius for AI agent attacks is structurally worse than mobile malware because agents execute code, maintain state, and have autonomous decision-making capability.
Inference Spending Projection: Agent Proliferation Driver
Inference spending projected to grow from $106B (2025) to $255B (2030), driving exponential growth in agent deployments
Source: Deloitte
Enterprise Risk: Security Infrastructure Lag of 18-24 Months
The enterprise security industry is operating with an 18-24 month lag relative to the agent threat landscape:
- CrowdStrike, SentinelOne, Palo Alto Networks: EDR/XDR solutions are optimized for process-level malware detection. They have no visibility into agent runtime execution, agent skill loading, or agent orchestration logic. An agent loading a malicious skill is invisible to traditional EDR.
- Container security (Snyk, Aqua): Optimized for detecting vulnerabilities in container images and dependencies. Agent skills have no standardized packaging format, no dependency management, and no container semantics. Existing container security tools cannot easily scan agent skills.
- DLP solutions: Optimized for data flow detection at the network layer. An agent exfiltrating data via autonomous API call to a malicious endpoint leaves no DLP signature because it uses legitimate API infrastructure.
The security tools that would detect agent supply chain attacks (skill signing and verification, agent runtime behavior monitoring, dual-vector attack detection) do not yet exist as standardized products. Security vendors are 18-24 months behind.
Market Opportunity: The 'Snyk for AI Agents' TAM
The structural gap between agent proliferation and agent security creates a substantial market opportunity. The winning security architecture will combine four capabilities:
- Agent skill scanning: Both code vulnerability detection AND prompt injection detection for dual-vector attack vectors
- Agent runtime monitoring: Behavioral analysis that detects unusual agent actions (unexpected API calls, credential access, data exfiltration)
- Agent skill signing: Cryptographic verification that agent skills come from trusted publishers and haven't been tampered with
- Supply chain inventory: AI Bill of Materials (AI-BOM) tracking agent skills, versions, and dependencies
This is analogous to how Snyk captured the container security market by building scanning + dependency management + supply chain visibility. The startup opportunity is a "Snyk for AI agents"—a platform that scans agent skills for both code and prompt injection vulnerabilities, maintains supply chain inventory, and monitors agent runtime behavior.
The TAM is substantial. If enterprise agent deployments grow from hundreds in 2026 to tens of thousands by 2030 (following Deloitte's inference spending projections), and each organization has 10-50 deployed agents with 5-20 skills per agent, the supply chain security TAM could exceed $2-5B by 2030.
What This Means for Practitioners
If you're deploying AI agents in enterprise environments:
- Treat agent skills with the same supply chain rigor as you treat container images. Agent skills are executable code with access to credentials and autonomous action capability. Implement code review, security scanning, and signing requirements before any skill reaches production.
- Implement agent runtime sandboxing with least-privilege access. Agents should not have direct access to production databases, credential stores, or payment systems. Route all critical operations through a capability-based security model where agents can call functions but cannot directly query systems.
- Monitor agent behavior for anomalies. Set up runtime behavior monitoring that detects agents making unexpected API calls, accessing unusual file system paths, or exfiltrating data. This is the AI equivalent of detecting C2 communication in traditional malware detection.
- Require cryptographic skill signing for any agent deployed internally. Skills should be signed by a trusted publisher (your organization or a vetted vendor). Verify signatures before loading any skill into production agent runtime.
- Inventory your agent supply chain. Build an AI Bill of Materials that tracks which agents you've deployed, which skills they use, what versions, and who published them. This enables rapid response if a skill is discovered to be malicious.
- Evaluate security infrastructure for agent-specific threats. Existing EDR and DLP are insufficient for agent security. Look for security vendors (or build internally) agent runtime monitoring that detects dual-vector attacks and unusual agent behavior.
Long-Term Outlook: Agent Marketplace Maturation, 2027-2030
The agent marketplace will follow the maturation pattern of mobile app stores (2008-2012):
- 2026 (Current): Wild west phase. Malware rates exceed 10%. Publishing barrier near-zero. Platform security emerging.
- 2027-2028: Platform enforcement. OpenAI, Google, and other agent orchestration platforms implement code signing, skill scanning, and security reviews. Malware rates decline to 1-3%.
- 2028-2030: Market consolidation. 3-5 dominant agent platforms with security infrastructure. Smaller open marketplaces (ClawHub) either adopt strict security standards or become marginalized.
The inflection point is likely 2027, when the first significant agent supply chain attack (e.g., widespread credential theft from compromised skills) makes headlines. This will trigger regulatory scrutiny and force platforms to implement security controls analogous to Apple's App Store security review.
Until that inflection arrives, organizations deploying agents face elevated supply chain risk. The best defensive posture is to treat agent skills with the rigor of container images—scan, sign, verify, and monitor—before the market provides standardized tools.