China Watchdog Warns of Malicious AI Extensions Bypassing Safety Guard Rails

China's cybersecurity watchdog has issued a warning against third-party artificial intelligence skills packages that bypass model safety guard rails. These unregulated AI extensions claim to generate otherwise prohibited content and provide access to cryptocurrency-mining functions.

The National Computer Network Emergency Response Coordination Centre, or CNCERT, highlighted the rapid emergence of a grey market for these tools. The agency stated that these packages expose users to data leaks and money-laundering risks.

AI skills function as plug-ins or specialised code packages that expand the capabilities of AI agents and models. Similar to smartphone apps, they connect AI systems to external databases, automate workflows, and integrate with third-party software.

CNCERT said some skills are marketed to circumvent built-in restrictions to access cryptocurrency-mining functions, which remain banned in mainland China. The agency warned that using such tools could result in privacy breaches, account suspensions, and potential legal consequences.

There is also a growing number of malicious skills designed to trick AI agents into downloading mining software. They may also persuade users to run the software themselves to generate privacy-focused tokens.

Cryptocurrency mining consumes large amounts of computing power. This consumption can increase electricity costs, reduce device performance, and accelerate hardware deterioration.

The warning comes as the AI agent ecosystem expands rapidly across multiple platforms. Platforms including Manus, Coze, Dify, and Flowith have encouraged third-party developers to create these specialised skills.

This trend has fuelled concerns over how much control platform operators retain over code executed by external components. Security researchers warned that AI agents capable of downloading and running third-party code introduce new attack surfaces.

According to open-source AI security testing platform JailbreakBench, malicious prompt injections and compromised skills continue to achieve high success rates. These tactics successfully bypass safety controls deployed by leading AI developers, including OpenAI and Anthropic.

To reduce these risks, CNCERT urged enterprises to establish strict whitelists for approved AI skills. Companies should also conduct comprehensive security reviews before deploying any third-party components.

The agency also recommended running AI agents in isolated environments and classifying them according to data sensitivity. It advised implementing robust data-masking and temporary authorisation mechanisms.

Users should obtain skills only through official channels. They must follow the principle of least privilege when granting permissions, and promptly revoke unnecessary access to sensitive data.

• Unregulated third-party AI skills packages are being used to bypass safety controls, leak data, and mine banned cryptocurrency.

• Malicious extensions trick AI agents or users into running mining software, which raises electricity costs and degrades device hardware.

• Safety bypasses maintain high success rates against leading AI systems developed by organisations like OpenAI and Anthropic.

Source: SCMP