Lazaretto · blog

SSH keys, cloud creds, wallets: what a malicious agent skill actually steals

2026-07-14

A machine running an AI agent is a rich target: it usually has SSH keys, cloud credentials, a browser profile, LLM API keys, and sometimes a funded crypto wallet — all reachable by anything the agent installs. Public audits of skill marketplaces keep finding the same playbook.

What they go after

How they hide it

Fake “prerequisites” that ask the agent to run a setup command, curl | bash chains, base64-encoded payloads, install-lifecycle scripts that run automatically on npm install, and prompt-injection text aimed at the agent reading the skill. Lazaretto screens for each of these deterministically.

Check before it runs

curl -s https://lazaretto.dev/v1/known-bad/<sha256>        # free
curl -s -X POST https://lazaretto.dev/v1/scan -H 'content-type: application/json' \
  -d '{"target":{"type":"clawhub_skill","ref":"owner/skill"},"depth":"full"}'

A one-cent-scale check before install is cheap next to a drained wallet or a leaked cloud key. Reports are signals, not a warranty — but they surface the exact behavior, with evidence, before the code runs.


Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.