China Warns Of Malicious AI Agent Extensions

The National Computer Network Emergency Response Coordination Centre (CNCERT) posted a public warning on its official WeChat account about a rapid emergence of a grey market for third-party AI "skills", as reported by the South China Morning Post and tech360.tv. CNCERT said some skills are marketed to evade model safety guard rails, allow generation of prohibited content, or provide access to cryptocurrency-mining functions that remain banned in mainland China. The agency highlighted risks including privacy breaches, account suspensions, and potential legal consequences, and urged enterprises to obtain skills only through official channels and to follow least-privilege principles when granting permissions.

The coverage explains that AI "skills" function like plug-ins or specialised code packages that expand agent capabilities by connecting models to external databases, automating workflows, or running third-party code. Tech360.tv and SCMP report CNCERT flagged a subset of skills that attempt to trick agents into downloading and running crypto-mining software or to persuade users to run miner software themselves. According to reporting that cites the open-source security testing platform JailbreakBench, malicious prompt injection and compromised skills continue to achieve high success rates at bypassing guard rails deployed by major developers, including OpenAI and Anthropic.

Observed patterns in similar deployments show that opening agent platforms to third-party code increases the attack surface, because plug-ins introduce new execution contexts and privilege boundaries. Security testing platforms like JailbreakBench repeatedly surface prompt-injection and capability-abuse vectors that exploit those boundaries. For engineering teams, the core technical challenge is limiting what external components can request or execute and monitoring for unexpected outbound behavior from agents.

Editorial analysis: This warning matters because enterprises are beginning to embed agents into workflows that touch sensitive data and infrastructure. The combination of unregulated skill marketplaces and widely available mining code raises operational and compliance exposure, particularly where crypto-mining is prohibited or where mining can materially degrade hardware and power consumption. The story also underscores a broader industry pattern: as agent ecosystems decentralise capability development, platform operators and adopters must rethink permission models and runtime isolation.

• •Indicator: reports of compromised or malicious skills appearing in public marketplaces or third-party registries.
• •Indicator: security scans from open-source projects like JailbreakBench that quantify bypass rates for guard rails.
• •Indicator: vendor responses, such as stricter vetting, whitelists for skills, runtime sandboxing, or telemetry that flags unexpected outbound downloads.