State of AI Agent Security Q1 2026: 820 Malicious Skills, $500M in VC, and Zero Dedicated Tooling
Abstract The AI agent economy is expanding rapidly. Over 100 million developers and builders are now deploying autonomous agents that browse the web, execute code, manage files, and interact with external APIs. Security has not kept pace. This report presents a systematic signal analysis of the AI agent security landscape as of Q1 2026, synthesizing threat intelligence, market data, and community pain signals from across the ecosystem. The findings are stark: 820+ malicious skills have been identified on ClawHub (approximately 20% of the registry), 30 MCP-related CVEs were disclosed in a 60-day window, and VirusTotal remains blind to 6,487 agent-specific malicious tools. On the market side, over $500 million in venture capital has been deployed into agent security startups in Q1 2026 alone, yet only 29% of enterprises report having agent security policies in place. The gap between threat velocity and defense tooling represents both the central risk and the defining market opportunity in AI security today. This report documents the evidence, maps the competitive landscape, and identifies the specific defense categories where no dominant solution exists. ...