AI Dev Patterns: Agent Skills Land in .NET, and the Week AI Agents Went Offensive, 2026-07-18
ai

AI Dev Patterns: Agent Skills Land in .NET, and the Week AI Agents Went Offensive, 2026-07-18

7 min read

Microsoft Ships Agent Skills for .NET as a Stable, Production API

Microsoft released Agent Skills for .NET on July 7, graduating the feature out of preview — the experimental attribute has been removed from the API. The library packages reusable domain expertise as skills: bundles of instructions, reference documents, and scripts that an agent loads on demand rather than keeping permanently in context, following the same progressive-disclosure principle behind the cross-vendor Agent Skills specification.

Integration with Microsoft Agent Framework happens through a skills provider that follows a clear loading sequence — advertise skill names, load instructions, read resources, then run scripts only as needed — which keeps context windows efficient and lets teams develop skills independently before combining them into a single agent without cross-team coordination overhead. The .NET implementation supports three authoring styles: file-based skills using the familiar SKILL.md directory format, class-based skills distributed as NuGet packages, and code-defined skills generated dynamically from application state. Governance is built in from the start rather than bolted on: human-in-the-loop approval gates for loading, reading, and executing, along with script execution controls, skill filtering, caching, and pluggable source registries.

Critically, the .NET implementation targets the open Agent Skills specification directly, meaning skills written for Claude Code, Codex, or other compatible tools can run under Microsoft's framework without modification — reinforcing skills as a genuine cross-vendor interoperability layer rather than a Microsoft-specific abstraction, at a point where roughly 40 products across the ecosystem already support the same format.

Read more — Microsoft Agent Framework Blog



Safe & Secure AI Agent Practices

Hugging Face Discloses an Intrusion Run End-to-End by an Autonomous AI Agent

Hugging Face disclosed on July 16 that it detected and responded to an intrusion into part of its production infrastructure that was, in the company's own words, driven end to end by an autonomous AI agent system — and largely detected and analyzed using AI as well.

The attack chain started in the dataset-processing pipeline: a malicious dataset combined a vulnerability in a remote dataset loader with a template-injection flaw in a dataset configuration to achieve unauthorized command execution on a processing worker. From that single foothold, the agent escalated to node-level access, harvested cloud and cluster credentials, and moved laterally across internal clusters over the course of a weekend — the kind of sustained, patient, multi-stage campaign that used to require a human operator on the other end. The activity itself was orchestrated by what Hugging Face describes as an autonomous agent framework, apparently built on an agentic security-research harness, which executed many thousands of individual actions across a swarm of short-lived sandboxes with self-migrating command-and-control infrastructure staged on public services.

On impact, Hugging Face reports unauthorized access to a limited set of internal datasets and service credentials, with no evidence of tampering with public models, datasets, Spaces, or the software supply chain (container images and published packages were verified clean). Investigation into potential partner or customer data exposure was still ongoing at disclosure time.

The forensic response is arguably the more instructive part of the story. The team fed more than 17,000 recorded attacker actions into LLM-driven analysis agents to reconstruct the campaign in hours rather than the days manual review would normally take — but they hit what they call the asymmetry problem along the way: commercial model providers' safety guardrails blocked forensic requests that necessarily contained exploit payloads and command-and-control artifacts, unable to distinguish a defender's investigation from an attacker's request. The workaround was pivoting analysis to GLM 5.2, an open-weight model, run entirely on Hugging Face's own infrastructure, which avoided both the guardrail blocks and the risk of sending sensitive attacker data or credentials to an external API. Their stated lesson for the industry: have a capable model you can run on your own infrastructure vetted and ready before an incident happens, not during one. Affected users were advised to rotate access tokens and review account activity.

Read more — Hugging Face


JadePuffer: Researchers Document the First Fully Agent-Orchestrated Ransomware Attack

Security firm Sysdig disclosed in early July what it characterizes as the first documented case of a ransomware operation conducted entirely by an autonomous LLM agent, dubbed JadePuffer. The operation unfolded in two phases: initial access came through an unauthenticated remote code execution flaw in Langflow's validation endpoint (CVE-2025-3248), after which the agent enumerated the host, harvested credentials across multiple cloud providers, found an object storage service configured with default credentials, and extracted a service-key file. It then established persistence through a scheduled task beaconing out every 30 minutes.

The agent's real objective was a separate, internet-exposed production server running MySQL and Alibaba Nacos, and this is where the report's most striking detail comes from: a timestamped log shows the agent's first login attempt against a newly created admin account failing, then, 31 seconds later, succeeding after the agent diagnosed a password-hash generation problem in its own tooling and corrected it — a fully autonomous debug-and-retry cycle completed faster than a human operator could plausibly react. From there the agent chained a known Nacos authentication-bypass flaw with forged signing tokens to gain direct database access, then used a MySQL encryption function to scramble more than 1,300 configuration entries before dropping the original tables, working around foreign-key constraints that initially blocked the deletion by disabling that safety check globally first.

The ransom note itself undercut the operation: the encryption key was generated as throwaway session data, printed once to the console, and never stored or transmitted anywhere — meaning recovery was impossible even for a victim willing to pay. Sysdig's assessment is blunt: JadePuffer required no novel exploits, only years-old vulnerabilities against neglected, internet-exposed infrastructure, and its real significance is that the skill floor for running a ransomware operation has dropped to whatever it costs to run an agent. Their recommendations for defenders center on the basics that made this attack possible in the first place: patch known CVEs promptly and keep code-execution endpoints off the public internet, strip API keys and cloud credentials out of AI-orchestration server environments entirely, change default secrets on services like Nacos and never expose their admin interfaces externally, and add behavioral monitoring for scheduled tasks that make outbound network calls.

Read more — Sysdig


Agent Skills Adoption Outpaces Agent Skills Security Review

A June ecosystem report on the Agent Skills standard puts hard numbers behind a concern that's been building all year: the format is winning on distribution but lagging badly on trust. Roughly 40 products now support the open Agent Skills spec, and community directories index close to 1.9 million publicly published skills — genuinely rapid, cross-vendor adoption for a standard that only published in December 2025.

The security picture is less encouraging. An audit of 22,511 skills found 140,963 issues, an average of roughly 6.3 per skill, and prompt injection payloads embedded in 36% of the skills tested. Quality tracks a similar pattern — the average public skill scores just 6.2 out of 12 on the report's rubric, while curated, reviewed skill sets improved agent task pass rates by an average of 16.2 percentage points, with the largest gains (51.9 points) showing up in the healthcare domain where task correctness matters most. Given that both the Microsoft .NET release above and IntelliJ IDEA's new agent skills capability are actively growing the pool of skill-consuming surfaces, the report's core recommendation is worth internalizing directly: curation and review matter more than catalog size, and organizations adopting skills at scale should treat security scanning and provenance checks as a prerequisite, not an afterthought, before pulling a community-published skill into a production agent.

Read more — Agentman

Stanislav Lentsov

Written by

Stanislav Lentsov

Software Architect

You May Also Enjoy