What Happened
A developer published findings on March 7, 2026 about a new category of malicious software they call "AI SAd-ware" - AI Skills Ad-ware. After installing a popular GitHub skills repository (K-Dense-AI/claude-scientific-skills) for use with ChatGPT Plus Codex, they discovered advertising being injected directly into their AI coding sessions.
The repo appeared legitimate. It had stars. It looked like a normal skills package. But buried in the code was ad injection logic that surfaced promotional content through the AI agent's responses.
The author points to a tool called Greywall by GreyhavenHQ - a sandboxing tool that blocks network requests and controls file access for AI agents - as one defensive measure.
Why It Matters
AI coding agents like Claude Code, Cursor, and ChatGPT Codex are increasingly pulling in third-party skill packages, MCP servers, and plugin repos. Most developers install these the same way they install npm packages: skim the README, check the star count, and move on.
That trust model is breaking down. GitHub stars have been gameable for years, and now the attack surface has expanded. Instead of traditional malware that steals credentials or installs backdoors, these injections are subtler - they slip ads into your paid AI service responses. You are paying $20-200/month for an AI assistant that someone else is monetizing through injected promotions.
This is a supply chain problem specific to the AI agent era. When you give an AI agent a skills package, you are giving it instructions that shape every response. A compromised skill file does not need to exfiltrate data. It just needs to bias the output.
Our Take
This is early, but the pattern is predictable. AI agent marketplaces and skill repositories are going to become the new browser extension stores - full of clones, ad-injected forks, and SEO-optimized garbage.
The practical takeaway right now: read the actual code in any skills repo before installing it. Not the README, the code. These files are typically small enough to review in a few minutes.
Sandboxing tools like Greywall are a reasonable second layer, but they address symptoms. The real fix needs to come from the platforms themselves. Anthropic, OpenAI, and others building agent ecosystems need to implement skill/plugin signing, review processes, and permission scoping before this gets worse.
For anyone running Claude Code or similar agents with third-party integrations: audit what you have installed. Check your MCP servers, your skill files, your custom instructions. If you did not write it yourself, verify it.