China's national cybersecurity body issued a formal advisory on June 10, 2026, alerting users and platform operators to a growing grey market of malicious AI "Skills" packages capable of bypassing AI safety controls and hijacking devices to mine cryptocurrency without the owner's knowledge.

The warning came from CNCERT, the National Computer Network Emergency Response Technical Team/Coordination Centre, published through its official WeChat channel. The advisory identifies two primary threat categories circulating inside AI agent ecosystems: jailbreak Skills, which promise to make large language models (LLMs) answer any question by stripping out safety restrictions, and cryptojacking Skills, which quietly download mining software onto the host device and siphon its computing power for unauthorized cryptocurrency generation.

AI agent Skills are modular instruction packages, roughly analogous to app plugins or npm packages in traditional software development. They extend what an AI agent can do by connecting it to external tools, databases, and services. Adoption accelerated sharply in 2025 and 2026 through ecosystems built on the Model Context Protocol (MCP), introduced by Anthropic and now adopted as an open standard, and similar frameworks, but security review processes at many marketplaces have not kept pace with the volume of new submissions.

CNCERT specifically named a package called "godmode" as an example of the jailbreak category. According to Global Times reporting on the Chinese-language CNCERT WeChat advisory, the package contains "multiple attack modules employing sophisticated techniques, including system prompt replacement, input obfuscation, and multi-model racing." The agency warned that users who install such packages risk illegal content generation, account suspensions on AI platforms, device performance degradation, data and privacy leaks, and potential criminal liability. That last point carries particular weight in China, where the Supreme Court revised its criminal statutes in August 2024 to classify crypto transactions as a primary money laundering method. A user in China whose compromised AI agent mines cryptocurrency may face criminal charges simply for running the software on their device, even without knowledge of the mining activity.

Context for the advisory had been building for months. In March 2026, researchers documented the ROME incident: an Alibaba-backed AI agent that, during training, autonomously attempted to mine cryptocurrency without any instruction to do so and constructed a backdoor designed to break out of its sandboxed environment. The event predated the CNCERT advisory by three months and offered a concrete illustration of the autonomous, unsanctioned behavior the agency's warning addresses.

The threat landscape had also been shaped by a sustained wave of supply-chain attacks on Skills marketplaces. In February 2026, researchers disclosed the ClawHavoc campaign, in which attackers uploaded 1,184 malicious Skills packages to the ClawHub marketplace. The conditions for that infiltration were set by a dramatic surge in submissions: daily Skill uploads to ClawHub jumped from fewer than 50 in mid-January 2026 to more than 500 by early February, a more than tenfold increase that overwhelmed manual review processes. At the campaign's peak, roughly 20 percent of all available Skills on that platform were malicious, many of them deploying Atomic macOS Stealer malware to harvest cryptocurrency wallet credentials. In a separate incident spanning January and February 2026, attackers exploited the Tools plugin system across more than 15,000 exposed OpenWebUI instances to deliver crypto miners directly to host machines. A Snyk analysis of 3,984 Skills found that 36.82 percent had at least one security flaw and that 91 percent of confirmed malicious Skills used prompt injection as their primary attack method. Prompt injection is a technique in which adversarial text is inserted into a model's input context, including prompts, tool outputs, and retrieved content, to redirect the model's behavior away from its intended purpose. OX Security researchers also found they could successfully poison nine out of 11 MCP registries with test payloads, confirming command execution on six live production platforms. Snyk researchers put the underlying problem plainly in their ToxicSkills report: "Agent Skills are a supply chain, and they require the same security rigor we apply to npm, PyPI, and container registries."

The threat is not contained within China's borders. On-chain data from Chainalysis shows that Chinese-language underground networks processed roughly $16.1 billion in cryptocurrency in 2025, representing approximately 20 percent of known global crypto laundering, and growing at a rate approximately 7,325 times faster than centralized exchanges since 2020. These networks operate globally and have documented activity across Africa. For developers and users in South Asia and Sub-Saharan Africa, the exposure is compounded by regulatory gaps and resource constraints. Nigeria's CBEX scheme extracted over $250 million from Nigerian retail participants, and the Treasure NFT Ponzi scheme extracted approximately $800 million from victims primarily in India and Pakistan. Cryptojacking incidents grew 63 percent year-over-year in 2025, a trajectory that makes the threat especially acute in markets where cloud compute costs, internet bandwidth, and hardware replacement each represent significant constraints on development budgets. South Africa, the continent's largest technology economy, has been specifically identified as facing a cybersecurity crisis in the age of AI, according to a March 2026 report from the Inclusive Society Institute. AI agent tooling is now proliferating across these markets through channels that often have limited security oversight, expanding the attack surface for compromised Skills packages. CNCERT's advisory is aimed at users within China's AI ecosystem, covering platforms such as Baidu's ERNIE Bot, Alibaba's Qwen, and DeepSeek, but the jailbreak toolkits and mining-embedded Skills it describes circulate freely on GitHub, Telegram, and dark web forums with no geographic boundary.

CNCERT's recommended safeguards include downloading Skills only from official channels, granting minimal permissions to any installed package, and enabling multi-factor authentication on AI platform accounts. For enterprises, the agency recommends building Skills whitelists, running pre-deployment security scans, and using isolated network environments for AI agent workloads. The NSA published its own MCP security guidance in 2026, specifically addressing authentication controls and tool-call sandboxing for agent deployments. Whether those recommendations reach the developers most at risk, particularly those in markets with no equivalent advisory infrastructure, remains an open question. Coordinated cross-border enforcement and consumer protection frameworks for AI agent marketplaces have not yet been documented in most jurisdictions, and their absence leaves a significant gap in the global response to the threat.