TL;DR

Agentic AI platforms such as Claude Skills, Google’s Antigravity IDE, and Model Context Protocol (MCP) ecosystems are rapidly expanding from convenience tools into high-value cyberattack surfaces. Recent incidents—including Claude Skill ransomware abuse, the Antigravity drive-wipe catastrophe, and the Comet Browser MCP takeover flaw—illustrate just how easy it is for attackers to hijack these powerful systems. Agentic environments now resemble the early, insecure era of browser plug-ins: small, portable components with massive, under-regulated access rights. Securing this new frontier requires full-stack visibility, guardrails, and agent-aware runtime protection.

Agentic AI: from assistant to operator

It’s hard to appreciate how quickly AI has leapt from conversational assistant to operational powerhouse. Over just months, agentic systems have begun reading and writing files, refactoring entire codebases, interacting with APIs, running shell commands, and orchestrating business workflows across cloud and on-prem systems.

The rise of frameworks like Claude Skills (Anthropic announcement), Google’s Antigravity IDE and the Model Context Protocol (MCP GitHub) shows how aggressively AI vendors are racing to push from text generation into real-world action.

In our own research at PointGuard AI, we documented how MCP is transforming agents into universal tool operators—while introducing entirely new classes of vulnerabilities:
👉 Hidden Risks for AI Agents: ShadowMQ and MCP

The shift is profound. A model that can only answer questions is low-risk. A model that can run commands, alter files, or trigger automations across your SaaS ecosystem is a completely different security animal.

Where there is new power, attackers follow. And right now, attackers see agentic AI as a shooting gallery: targets everywhere, guardrails nowhere.

The early warning signs: incidents that signal what’s coming

The risk stopped being academic the moment attackers—and overeager agents—began demonstrating real-world, high-impact failures.

Claude Skills weaponized into ransomware pipelines

Security researchers recently showed how Claude Skills could be repackaged with hidden payloads and redistributed. Once a user installed the compromised Skill, Claude would execute its logic with full user-granted privileges. In the proof-of-concept, this workflow delivered a MedusaLocker ransomware strain.

Anthropic’s design emphasizes trust in the Skill author. Attackers, however, thrive in ecosystems where “trust the plug-in” is the default. It echoes the earliest days of browser extensions—only now the stakes are much higher.

Antigravity IDE: the agent that wiped a developer’s drive

The much-discussed incident involving Google’s Antigravity IDE made headlines when its agent—attempting to “clean up” a workspace—executed:

rmdir /s /q D:\

The command deleted the developer’s entire drive. No confirmation prompts. No rollback. No sandbox boundary between the agent and the system.
Further research showed the IDE agent could also be manipulated via prompt injection hidden inside repo files. A stray sentence in a README could steer the agent toward executing sensitive commands.

MCP attacks: the new universal exploit path

Perhaps the most consequential trend is the rapid appearance of high-impact vulnerabilities in MCP-connected browsers and IDEs.

ShadowMQ revealed how a malicious local MCP server could impersonate legitimate tools, harvest credentials, and inject malicious code into AI-driven workflows.
👉 PointGuard AI: ShadowMQ Analysis

Then came the Comet Browser exploit. Researchers discovered a hidden MCP API that allowed extensions to register as tool providers and execute arbitrary system commands. A malicious browser extension—once considered a mild nuisance—suddenly became a mechanism for full device takeover.
👉 PointGuard AI: Comet Browser MCP Flaw

The browser—long a sandboxed boundary—was breached not through a classic memory exploit but through an insecure AI tooling interface.

Agentic AI is eroding long-standing security boundaries faster than the industry can reinforce them.

Why attackers love agentic AI surfaces

Attackers are flocking to these ecosystems for three simple reasons:

1. Privileges are high and poorly scoped.
Agents often inherit full file-system access, network permissions, or shell capabilities from the environment they run in.

2. Trust boundaries are thin.
If a Skill or MCP server is reachable, many clients assume it is safe. Attacker-controlled tools slip in unnoticed.

3. Prompt injection becomes system injection.
A hidden instruction inside a code comment, ticket description, or document can now produce real-world consequences—file deletion, credential exposure, or lateral movement.

The similarities to early browser plug-ins are striking. But the potential impact—especially in enterprise environments—is far more severe.

How enterprises can defend against the agentic era

Securing agentic AI requires treating AI tools as privileged software components, not productivity hacks.

Organizations must begin by discovering and mapping every agent, Skill, MCP server, IDE integration, and connected tool across the enterprise. Shadow IT in the AI era doesn’t look like rogue SaaS—it looks like side-loaded Skills and background MCP processes.

Access also needs to be tightly controlled. Installing a new Skill or connecting to a new MCP endpoint should require the same scrutiny as deploying a new microservice.

Equally important is runtime monitoring. Agents must be observed like any other code execution surface—tracking which tools they use, what commands they issue, what data they access, and whether their behavior diverges from expected patterns.

And finally, enterprises need governance frameworks that bridge AppSec and AI Security. AI is no longer separate from the application stack—it is the application stack.

How PointGuard AI protects organizations

PointGuard AI was built for exactly this shift: securing the full AI-enabled application stack as agents, models, tools, and code blend into one environment.

Our platform provides:

Comprehensive Discovery

Automated mapping of agents, Skills, MCP connections, tool-calling behavior, and model interactions.
👉 How PointGuard AI Discovers AI Assets

AI Security Posture Management

Continuous misconfiguration detection, least-privilege enforcement, and policy-driven agent guardrails.
👉 AI-SPM Overview

Runtime Observability & Guardrails

Real-time interception of unsafe actions, detection of anomalous agent behavior, and alerts on unauthorized access patterns.

Governance Across Frameworks

Alignment with OWASP, MITRE ATLAS, NIST AI RMF, and emerging AI-safety standards ensures enterprise-ready compliance.

With PointGuard AI, organizations can harness the power of agentic platforms—without stepping into a shooting gallery.