ThePrimeagen's Poisoned AI Skill Wasn't a Prank — It Was a Supply-Chain Warning for Agent Ecosystems
ThePrimeagen published a deliberately poisoned AI agent skill and followers ran it without reading the source. Here's what the incident reveals about agent skill supply-chain risk.
Key Takeaways
- Agent skills look like documentation, but agents can treat them as executable instructions. The attack surface is context, not only code.
- ThePrimeagen's stunt was performance art: a proof-of-concept trust test, not a breach. No real damage has been reported.
- Academic research on poisoned agent skills found Document-Driven Implicit Payload Execution bypass rates of 11.6% to 33.5% across tested configurations.
- Founders installing MCP servers, Claude Code skills, Cursor plugins, or agent tools need provenance, pinning, sandboxing, and permission gates.
ThePrimeagen has spent years telling developers that AI coding tools can erode judgment. On January 23, 2026, he tested whether anyone was listening.
He posted what looked like a reversal: AI was more powerful than he thought, he had created his first skill, and it was already changing how he coded. Attached was a one-liner that looked familiar to anyone experimenting with agent skills: npx skills add github.com/theprimeagen/s --skill is-even.
Followers ran it. Many without reading the repo.
The skill was poisoned. Not with credential-stealing malware, based on the available reporting, but with intentionally wrong examples wrapped in documentation that looked authoritative. The package name itself was the tell: is-even is a long-running npm joke about trivial dependency bloat. Anyone who paused for two seconds would have asked why a developer famous for “understand your code or suffer” was pushing it.
The punchline was not the bad example. It was the trust shortcut.
What actually happened
ThePrimeagen published a GitHub skills repo and pointed followers at a skill named is-even. Reporting from Tim Schipper and DevGenius describes a set of deliberately incorrect skills, including is-even, is-odd, and left-pad, with dozens of wrong examples.
The setup was deliberate. Every element was a signal: the absurd package name, the apparent AI reversal, and the fact that it came from someone whose public philosophy is built around reading and understanding your tools. The question was whether people would inspect the source or simply run the command because a trusted developer posted it.
Important caveat: this was a proof-of-concept trust test, not a reported breach. I found no evidence of real-world damage. The current public ThePrimeagen/skills repo shows normal-looking skills and no longer exposes the incident-specific files. The point was never to damage anyone. The point was to show that the verification reflex is fragile.
Why this matters for founders
Here is the system underneath the stunt.
Agent skills, MCP servers, Cursor plugins, Claude Code skills, Codex instructions, and registry-hosted agent tools occupy a new category in your software supply chain. They are not quite dependencies and not quite docs. They are trusted context that agents can interpret as operational guidance.
A traditional package runs when you import it and call a function. A poisoned agent skill can influence what your agent does before you notice anything happened. Its SKILL.md, examples, templates, and metadata enter the model's context window and shape the agent's planning, tool selection, code generation, and shell usage.
| Layer | What gets compromised | Example | Founder response |
|---|---|---|---|
| Source | Repo, tweet, registry | Fake or shortlinked repo mimicking a trusted author | Resolve provenance and pin commits |
| Context | SKILL.md, examples, templates | DDIPE: hidden payload inside normal-looking docs | Read skill files before install |
| Tool metadata | MCP descriptions and schemas | Hidden instruction to read a secret file | Inspect descriptions, not just code |
| Execution | Shell, files, network, credentials | Agent copies and runs a poisoned example | Sandbox and restrict permissions |
That is not theoretical. A 2026 arXiv paper on supply-chain poisoning attacks against LLM coding-agent skill ecosystems formalized this exact vector as Document-Driven Implicit Payload Execution, or DDIPE: malicious logic hidden in normal-looking Markdown examples or configuration templates that agents reuse during routine work.
Across 1,070 adversarial skills generated from 81 seed skills, spanning 15 MITRE ATT&CK categories, four agent frameworks, and five models, DDIPE achieved 11.6% to 33.5% bypass rates depending on configuration. Even the strongest tested setup still allowed 2.3% direct execution. Static scanning caught most samples, but 2.5% evaded both static detection and model alignment.
The threat is in the reasoning layer
CrowdStrike describes the same pattern with a simple example: a harmless-looking tool called add_numbers whose metadata quietly instructs the agent to read ~/.ssh/id_rsa and pass its contents as a parameter before calling the tool.
The tool code can be clean. The compromise happens in the reasoning layer. The agent reads the hidden instruction, treats it as legitimate usage guidance, and turns a normal tool call into secret exfiltration. Secure Code Warrior made the same point about MCP tool descriptions: instructions can be invisible to users but fully readable by models.
If your agent can read files, run shell commands, install packages, hit the network, or touch production credentials, a poisoned skill is not “just docs.” It is a potential control surface.
Stay Ahead of the Trends
Get founder-grade breakdowns like this before the discourse gets noisy. Weekly, practical, no fluff.
The founder skill-review playbook
If you are an indie founder running Claude Code, Cursor, Codex, Windsurf, or any agent with skill or MCP support, you do not need enterprise compliance theatre. You need a small review process that catches obvious failure modes before the agent touches real code.
Before you run npx skills add
Provenance
30 secResolve the full repo URL. Do not install from shortlinks, tweets, or Discord snippets.
Read the source
2 minOpen SKILL.md, examples, templates, scripts, install hooks, and linked files.
Pin the version
30 secUse a commit hash or tagged release, not main. Record it in a manifest.
Sandbox first
1 minRun in an isolated repo or container with fake credentials and no production data.
Restrict permissions
1 minBlock shell, network, and secret-file reads by default. Enable only when needed.
Audit examples
1 minTreat every code block in skill docs as executable. Your agent might copy it verbatim.
Approved list
30 secKeep vetted skills for production and client repos. Everything else stays in the sandbox.
Set checkpoints
30 secPause before file writes, package installs, DB changes, outbound requests, and credential access.
The real lesson
ThePrimeagen's stunt worked because it exploited a cognitive shortcut, not a software vulnerability: someone competent vouched for this, so I do not need to think. That shortcut powers every blindly accepted AI suggestion, every unreviewed autocomplete, and every dependency installed because a familiar name shared it.
Agent skills make the shortcut more dangerous because they add a new layer of indirection. You are trusting the author, the registry, the model's interpretation of the docs, and the agent's execution of the plan. Each layer is a place where provenance can break.
The founders who treat agent skills like the supply chain they are will move faster in the long run. Not because they are more paranoid, but because they will not be the ones explaining how a “documentation file” gained access to production credentials.
The blue-pill path is convenience. The red-pill path is provenance. You already know which one ThePrimeagen was testing.
FAQ
Was anyone actually harmed by ThePrimeagen's poisoned AI skill?
No real-world damage has been reported from the incident. The available reporting frames it as performance art and a proof-of-concept trust test: intentionally wrong skill examples that exposed how quickly developers will run agent commands from a trusted source without inspection.
Does ThePrimeagen's current skills repo still contain the poisoned skills?
The current public ThePrimeagen/skills repository does not show the incident-specific is-even or is-odd files. The article treats the incident as a historical proof-of-concept, not as a claim about the current repo state.
What is Document-Driven Implicit Payload Execution?
Document-Driven Implicit Payload Execution, or DDIPE, is an attack pattern where malicious logic is hidden inside normal-looking skill documentation, examples, or templates. A coding agent may reuse that material during a normal task and execute the payload without an explicit malicious prompt.
How is agent skill poisoning different from an npm supply-chain attack?
Traditional package attacks usually compromise executable code or install scripts. Agent skill poisoning can compromise the reasoning layer: descriptions, examples, schemas, and instructions that the agent reads as operational context before taking actions like file writes, shell commands, or network requests.
Sources
Do not miss the next platform shift
Every week, Superframeworks breaks down the trends that matter for indie hackers, SaaS founders, and AI-native builders.