Our CTO, Ian Ahl, deployed an AI agent to investigate the OpenClaw ecosystem and it immediately uncovered malicious skills stealing credentials in the wild. We break down how these campaigns work, why skills marketplaces are becoming a new supply chain risk, and what happens when agents hold keys to core business systems. Agents are becoming sysadmins for people, and we are still installing first and asking questions later.