[matrixgard]

The lekt9/foundry case that rodchalski flagged is the one I'd lose sleep over. Static analysis, AI audit — it doesn't matter, you can't catch what isn't written yet. That's a fundamentally different threat model than what most security tooling is designed for.

The closest parallel I've seen in practice is OAuth scope creep from a few years back — teams installing third-party integrations with broad permissions and never reviewing them. At least those had a permission dialog and an audit log. Agent skills install with one command and the full attack surface is whatever the agent can do in your shell, including your cloud credentials and prod contexts.

What's your signal on whether the malicious installs are actively being exploited or mostly sitting dormant? Wondering if there's any telemetry on runtime execution vs. just install counts.