Agentic AI Supply Chain Security: When Your Agent's Skills Become the Attack Path
Agent skills, plugins and MCP servers are executable code, not config. Learn how to inventory, test and harden your agentic AI supply chain in 2026.
TL;DR
- In January 2026, CVE-2026-25253 became the first CVE ever assigned to an agentic AI system, after a crafted skill package achieved remote code execution in a skill runtime.
- Agent skills, plugins and MCP servers are executable third-party code, not passive configuration, and most organisations have no inventory of what they have installed.
- A 2026 industry report identified dozens of agent framework components carrying vulnerabilities introduced through supply chain compromise.
- Prompt injection tests what an attacker can make your model say or do. Supply chain testing tests what the agent is allowed to run and reach in the first place.
- Treat every skill, plugin and MCP connection as a dependency: inventory it, vet it, and red team it before it goes into production.
Agentic AI has moved past chatbots. Agents now book, buy, write code and operate infrastructure on your behalf, and they gain that ability by installing skills, plugins and MCP servers, much like a developer installs an open-source package. That convenience created a new supply chain, and in 2026 it produced its first CVE. Sectricity's AI systems penetration testing engagements increasingly cover this layer, alongside the model-level risks we described in Prompt Injection Explained and the access-control gaps in Your AI Agent Can Reach Your Production Database.
What Is the Agentic AI Supply Chain?
Every component an agent depends on to act, its skills, plugins, tool definitions and the MCP servers it connects through, is a piece of software written by someone else. It gets pulled from a marketplace, a package registry or a GitHub repository, and it runs with whatever permissions the agent has. That is a supply chain in the same sense as your application's npm or pip dependencies, except most teams have never inventoried it.
Skills, plugins, MCP servers and frameworks as new dependencies
A skill or plugin is not a static setting. It is executable logic that the agent loads and runs, often with the ability to read files, call APIs or reach internal systems. We covered how the Model Context Protocol itself gets abused as an attack vector in MCP Security; the supply chain angle is the layer above that: the component being installed can be malicious or vulnerable before a single MCP call is even made.
The New Attack Surface: How Agent Components Get Compromised
Malicious or typosquatted skill packages
Attackers publish skill packages with names close to popular ones, or compromise a legitimate package after it has built a user base. Once installed, the package runs with the agent's full permission set.
Vulnerable agent framework components
Beyond deliberately malicious packages, the frameworks and libraries that agents are built on carry ordinary vulnerabilities, the kind a code review or component scan would normally catch, except these components run inside an autonomous execution loop rather than a passive application.
CVE-2026-25253: the first CVE assigned to an agentic AI system
In January 2026, a crafted skill package was shown to achieve remote code execution inside an agent's skill runtime. It was the first time a CVE identifier was assigned specifically to an agentic AI system rather than to a traditional application or library, and it confirmed that skill runtimes need the same scrutiny as any other code execution environment.
Why This Differs From Traditional Software Supply Chain Risk
Agents act autonomously, at machine speed
A compromised dependency in a traditional application waits to be triggered by a request. A compromised skill inside an autonomous agent can be invoked by the agent itself, in a loop, without a human in between. The exposure window is measured in the time it takes the agent to decide to call it.
Trust boundaries blur between code, data and instructions
In a normal application, code and data are separate. In an agent, a document the agent reads, a tool's output and an instruction can all end up in the same context and get treated the same way. A vulnerable or malicious skill does not need to trick a person, it only needs the agent to call it.
What Organisations Are Getting Wrong
Treating skills as static config, not executable code
Teams that would never let an unreviewed library into production routinely let an unreviewed skill or plugin into an agent's toolset, because it looks like configuration rather than code.
No inventory of what an agent can reach or run
Without a list of every skill, plugin and MCP connection an agent has access to, an organisation cannot answer a basic question: what can this agent actually do, and to which systems.
How to Test and Harden Your Agentic AI Supply Chain
Inventory every skill, plugin and MCP connection
Start with a full list of what is installed, where it came from, and what permissions it runs with. This is the same discipline as a software bill of materials, applied to agent components.
Red team the agent, not just the model
Model-level testing (prompt injection, jailbreaks) is necessary but not sufficient. A red team engagement against an agentic system tests what happens when a skill is malicious or compromised, not just what happens when a prompt is adversarial.
Vendor and component vetting before deployment
Vet third-party skills and MCP servers before deployment the same way you would vet a new software vendor, and revisit that vetting on a schedule. Organisations working toward NIS2 or EU AI Act evidence requirements should fold this into their existing penetration testing programme rather than treating it as a separate exercise.
Frequently Asked Questions
What is agentic AI supply chain security?
It is the practice of identifying, vetting and testing every skill, plugin, tool definition and MCP server an AI agent depends on, since each is executable third-party code that runs with the agent's permissions.
How is this different from prompt injection?
Prompt injection targets what the model is told to do through its input. Supply chain security targets the components the agent loads and executes, regardless of what any prompt says. Read more in Prompt Injection Explained.
What was CVE-2026-25253?
It was the first CVE assigned specifically to an agentic AI system, following a demonstrated remote code execution in a skill runtime via a crafted skill package, in January 2026.
Can penetration testing cover AI agent skills and plugins?
Yes. AI systems penetration testing engagements can include reviewing installed skills and plugins, testing MCP connections, and assessing what an agent can reach if a component is compromised.
How often should we test our agentic AI stack?
At minimum annually, in line with the cadence expected for other regulated security testing, and again whenever new skills, plugins or MCP servers are added to production agents.
Does NIS2 or the EU AI Act require this kind of testing?
Neither names agentic AI supply chains explicitly, but both expect organisations to demonstrate structured, evidence-based testing of the systems they rely on. An agent with unreviewed third-party components is a hard gap to defend in front of an auditor.
Related services and resources
Sectricity tests agentic AI deployments end to end, from the model itself to the skills, plugins and MCP servers it depends on. Our AI systems penetration testing service covers this component layer directly, and for organisations that need to know how their agent behaves under a real, human-led attack rather than a scripted test, our red team engagements go further. Both plug into the broader penetration testing programme many of our clients already run for NIS2 and EU AI Act evidence. If you have not yet read them, Prompt Injection Explained and Your AI Agent Can Reach Your Production Database cover the model-level and access-control risks that sit alongside the supply chain risk in this post.