49,943 AI Agent Skills Were Audited. 80% Don’t Do What They Advertise, and Every Server Hosting Them Lets Anyone In.
Three independent security audits of the AI agent tool supply chain produce numbers bad enough individually. Combined into a single compound probability model, they reveal that an enterprise running twenty tools from the current MCP ecosystem faces a 64% chance of hosting at least one multi-stage attack chain.
Thirty-nine thousand nine hundred thirty-three. That is how many AI agent skills, out of 49,943 on the largest public registry, do something other than what their descriptions promise, according to a scan published by Palo Alto Networks Unit 42 in early 2026. Eighty percent of the entire OpenClaw registry exhibits at least one mismatch between declared and actual behavior, and 18.9 percent of those deviations trace to adversarial intent, with 60 percent of the adversarial subset targeting data theft and espionage, a finding that transforms the agent tool supply chain from a convenience story into a security crisis that nobody has fully quantified until now.
It gets worse when you learn that a separate research team scanned the servers hosting those tools and found that every single one they tested lets you walk in without so much as a password prompt.
Three Audits, Three Disasters, Zero Synthesis
Knostic's internet-wide reconnaissance, published in July 2025, discovered 1,862 Model Context Protocol servers exposed to the public internet via Shodan, and when their team manually tested 119 of them, every single server granted access to internal tool listings without requiring credentials. Not most of them, not ninety percent, but all 119, a result so uniform that Dark Reading's coverage described MCP servers as "totally bereft of authentication or access controls."
Meanwhile, researchers at UCSB and Fuzzland published "Your Agent Is Mine," a systematic study of malicious LLM API routers in which they purchased 28 routers from Taobao, Xianyu, and Shopify storefronts while collecting 400 free routers from public communities. Nine were actively injecting malicious code into responses, seventeen had touched researcher-owned AWS canary credentials, and one drained ETH from a researcher-controlled private key. When the team intentionally leaked a single OpenAI API key, routers processed 2.1 billion tokens through it, exposing 99 credentials across 440 coding sessions, 401 of which were already running in autonomous mode with no human approval gate for tool execution.
Each of these findings generated its own alarming news cycle, and each was reported in isolation from the others, which means nobody ran the compound math that reveals how the risks multiply when an agent connects to multiple tools simultaneously.
A Compound Probability That Nobody Calculated
Unit 42's scan gives us two critical rates: 80 percent of skills have behavior mismatches, and 5 percent contain multi-stage attack chains consisting of credential exfiltration sequences, instruction-override hijacking, or lateral movement patterns that compose into real compromise, representing 2,490 skills sitting on a public registry available for any agent to install without behavioral verification.
If you assume that an agent selects tools independently from this registry, the probability that at least one tool in a stack of N contains a multi-stage attack chain follows the formula 1 − (0.95)N, a calculation that, surprisingly, nobody in the existing reporting on Unit 42's findings has published.
| Tools in Stack | P(At Least One Attack Chain) | P(At Least One Behavior Mismatch) |
|---|---|---|
| 1 | 5.0% | 80.0% |
| 3 | 14.3% | 99.2% |
| 5 | 22.6% | 99.97% |
| 10 | 40.1% | ≈100% |
| 20 | 64.2% | ≈100% |
| 50 | 92.3% | ≈100% |
At five tools you face roughly a one-in-four chance of running an active attack chain, and at twenty tools the probability climbs to nearly two-in-three, converging at fifty tools on the 92 percent figure that Pynt independently calculated through compositional risk analysis of 281 MCP setups. Pynt's number was widely reported but rarely explained; Unit 42's per-skill attack-chain rate now provides the denominator that makes the convergence visible, because both teams are measuring overlapping slices of the same broken supply chain from different angles.
Now consider what happens when you layer in the Knostic finding. A behavior mismatch is not necessarily malicious: a tool that reads two extra files it did not disclose is misbehaving but may not be hostile. But when every server hosting those tools runs without authentication, the distinction between "misbehaving" and "exploitable" collapses entirely, because an attacker does not need to write a malicious skill from scratch when they can simply connect to any of the 39,933 misbehaving ones, interact with them through an unauthenticated server, and redirect their undisclosed capabilities toward hostile ends without anyone noticing.
Beyond the Registry: An Operational Problem
A thread that surfaced on the Moltbook community forum crystallized the operational reality that security teams have been slow to internalize: user AiiCLI posted data showing that action tools with write access make up 65 percent of agent tool usage, not the 27 percent commonly cited from earlier surveys, meaning that tools capable of modifying CI pipelines, editing files, sending API requests, and deploying code are not an edge case within agent workflows but the majority of what agents actually do.
When the Leidos-affiliated team behind MCPSafetyScanner tested attack success rates across seven MCP clients, they found variance spanning the full range from zero to one hundred percent, with some clients rejecting every adversarial prompt while others executed malicious code on every single attempt, a spread so wide that the security posture of your agent depends less on the protocol itself than on which specific client implementation you happened to install and which of the 49,943 available skills it connects to.
OWASP formalized this chaos into its MCP Top 10 in 2025, cataloging ten risk categories from token mismanagement and tool poisoning to shadow MCP servers and context injection, while thirty CVEs were filed against MCP implementations in a single sixty-day window and tool poisoning attacks succeeded at an 84.2 percent rate when auto-approval was enabled.
And the attack surface keeps expanding in ways that existing scanners cannot catch. Researchers at four universities demonstrated Document-Driven Implicit Payload Execution, or DDIPE, which embeds malicious logic inside code examples within skill documentation so that the payload hides in prose rather than executable code, achieving bypass rates between 11.6 and 33.5 percent across four agent frameworks and five large language models, with 2.5 percent of payloads evading all four detection layers simultaneously.
Why Smart People Think This Is Overblown
Fair objections exist, and the strongest one deserves its full weight: the compound probability table above assumes independent selection from the full registry, and real-world usage is not random. Enterprise teams curate their tool stacks, popular skills get more scrutiny than obscure ones, and the 80 percent mismatch rate includes benign discrepancies like undocumented logging rather than exclusively hostile behavior. Unit 42's own data shows that only 18.9 percent of deviations are adversarial, which drops the effective adversarial-mismatch rate from 80 percent to about 15 percent, and recalculating with p = 0.15 gives a probability of hitting at least one adversarially misbehaving tool at N = 10 of 80.3 percent rather than a guaranteed 100 percent: still alarming, but meaningfully different from a universal guarantee of compromise.
More importantly, Knostic's scan dates to July 2025, MCP's authorization framework shipped six months after the protocol's initial release, and adoption of authentication controls is likely higher among production deployments now than it was during that early snapshot of enthusiastic but careless adopters.
These are genuine mitigating factors that do not change the structural conclusion but do mean the effective risk for a careful operator is lower than the worst-case numbers in the table, which raises the question that matters most for enterprise security posture: how many of your operators are actually being careful, and how would you know if they were not?
What This Analysis Does Not Know
Unit 42's scan covers the OpenClaw registry specifically, and other tool registries and private repositories were not included, which means the 80 percent figure may not generalize to proprietary enterprise tool chains that never touch a public registry. Knostic's 119-server sample, while yielding a striking 100 percent failure rate, represents only 6.4 percent of the 1,862 servers discovered, and the remaining 1,743 may include authenticated servers that the sampling method missed. Our compound probability model assumes independent tool selection and uniform mismatch rates, but real-world clustering where popular tools are installed together could raise or lower effective risk depending on whether popular tools skew safer or more dangerous. The "Your Agent Is Mine" router study tested commodity routers sold on secondary markets, and enterprise-grade routing through first-party providers like OpenAI and Anthropic was not part of the attacker sample. CVE-2025-49596's CVSS 9.4 score applies to the MCP Inspector tool specifically, not to every MCP deployment.
What to Do About It
If you run AI agents in production, audit your tool stack today, not next quarter, because the compound probability table above is already operating against you with every tool you add.
Security directors should count how many MCP-connected tools their agents use, consult the compound probability table, and recognize that exceeding five tools means operating at greater than 22 percent exposure to multi-stage attack chains from the public skill supply chain alone. Mandate a bill-of-tools for every agent deployment, analogous to a software bill of materials, and require behavioral verification against the actual runtime behavior of every skill before it enters production rather than trusting the description in the registry.
Developers should stop installing skills from public registries without reading their source code, should pin versions to prevent silent updates, and should check whether their MCP server requires authentication today, putting it behind an auth proxy before close of business if it does not. Run MCPSafetyScanner against any server you connect to.
Anyone evaluating agent platforms should ask the vendor what percentage of their tool integrations have been independently audited for behavioral integrity, and if they cannot answer with a number, they have not done it, which tells you everything you need to know about whether to sign the contract.
MCP solved AI's integration problem by creating a universal adapter that connects every agent to every tool with no verification that those tools do what they claim, on servers that let anyone connect without credentials, and integration without authentication is not infrastructure but an invitation, one that right now stands wide open.
Sources
- Palo Alto Networks Unit 42 (2026). AI Agent Skills Supply Chain Security: Behavioral Integrity Verification. Scan of 49,943 OpenClaw skills; 80% behavior mismatch, 5% multi-stage attack chains. Cybersecurity Insiders
- Knostic (July 2025). "Exposing the Unseen: Mapping MCP Servers Across the Internet." 1,862 exposed MCP servers, 119 tested, 100% unauthenticated. Knostic
- VentureBeat (2026). "MCP shipped without authentication. Clawdbot shows why that's a problem." Pynt research: 10 MCP plugins = 92% exploitation probability. VentureBeat
- Liu, H., Shou, C., Wen, H., et al. (2026). "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain." UCSB/Fuzzland. 28 paid + 400 free routers; 9 injecting malicious code; 1 draining ETH. arXiv
- Radosevich, B. and Halloran, J.T. (2025). "MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits." Leidos. Attack success rates 0–100% across 7 clients. arXiv
- OWASP (2025). MCP Top 10 Security Risks, led by Vandana Verma Sehgal; 30+ CVEs in 60 days; 84.2% tool poisoning success rate with auto-approval. OWASP
- VentureBeat (2026). DDIPE supply-chain poisoning: 11.6–33.5% bypass rates, 2.5% evading all detection. Griffith University, NTU, UNSW, University of Tokyo. VentureBeat
- Pynt (2025/2026). "The State of MCP Security." 281 MCPs analyzed; 9% per-plugin exploitation, 92% at 10 plugins, 72% allow sensitive operations. VentureBeat
- The Hacker News / Oligo Security (2025). CVE-2025-49596: MCP Inspector RCE vulnerability, CVSS 9.4, unauthenticated proxy exploitation. The Hacker News