CNCERT Warning: Hidden Risks of Jailbreaking and Cryptomining in Agent Skills

On June 9, the National Internet Emergency Center issued an announcement exposing malicious AI skill packages such as godmode and Bonero-Miner, warning users to be vigilant against jailbreaking and mining risks, and to avoid becoming involved in illegal activities such as money laundering.
CNCERT Emergency Warning: Hidden Jailbreak and Crypto Mining Risks in AI Agent Skills Could Involve Users in Money Laundering Crimes
On June 9, 2026, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) issued its latest security bulletin, delivering a stern warning about the emerging phenomenon of malicious skill packs (Skills) within the rapidly evolving AI Agent ecosystem. CNCERT pointed out that recent comprehensive assessments have found that some AI Agent Skills are being publicly distributed online under highly enticing claims such as “large model jailbreak” and “earn money via mining.” These packages lure users into intentionally bypassing large model safety restrictions or covertly exploit their device resources for illegal mining without their knowledge. Such malicious Skills can lead to models generating illegal content, user accounts being lawfully suspended, dramatic drops in device performance, and even the unknowing involvement of users in serious criminal activities such as money laundering, severely infringing on legitimate personal rights and jeopardizing national cybersecurity.

1. The Prosperity and Risks of the AI Agent Skills Ecosystem
With the widespread adoption of AI Agent technology from the second half of 2025 to the first half of 2026, Skills (skill packs) — as the core mechanism for extending AI Agent capabilities — have become indispensable to the AI ecosystem. From developer-oriented tools like Claude Code and Cursor to consumer-facing Agent platforms, the Skills mechanism allows third-party developers to create functional modules that agents can load and invoke on demand, enabling a flexible “expand as you go” model of functionality.
However, as with all open ecosystems, the prosperity of the Skills ecosystem has also attracted malicious actors. The two risks disclosed in CNCERT’s bulletin — “jailbreak-type Skills” and “mining-type Skills” — represent the most typical and urgent security threats currently facing the AI Agent ecosystem. These threats have low technical barriers, spread rapidly, and are highly deceptive to ordinary users, many of whom install and use them without full awareness or while taking a gamble, only to face severe consequences.
It is noteworthy that CNCERT had previously issued a warning about “skill poisoning risks” in functional plugins (skills) for AI applications such as “Xiaolongxia” (formerly Clawdbot, Moltbot), stating that multiple plugins for such AI Agents had been confirmed as malicious, capable of stealing keys and deploying trojan backdoors to turn devices into “zombies.” This June 9 bulletin can be seen as CNCERT’s deeper and more systematic disclosure of security risks in the AI Agent Skills ecosystem.
2. Case One: “godmode” — A Brazenly Marketed Jailbreak Tool
2.1 How godmode Works
The first malicious Skill specifically named by CNCERT is the jailbreak-type pack called “godmode.” It claims to allow large models to answer any question, achieving so-called “God Mode” or “full jailbreak” capability. Technical details disclosed by CNCERT show that godmode actually incorporates multiple attack modules and uses typical jailbreak techniques such as:
- System Prompt Override: Overwriting or bypassing the model’s original system prompt to remove built-in safety restrictions and value alignment constraints
- Input Obfuscation: Using encoding transformations, character substitution, multilingual mixing, symbol injection, and other techniques to bypass keyword filters and content detection
- Multi-Model Racing: Sending requests to multiple large models simultaneously to exploit weaker safety defenses in some, extracting content rejected by stricter models
These techniques are not new and have been widely discussed in the AI security research community. The danger of godmode lies in packaging research- or red-team-only techniques into a ready-to-use Skill product, requiring only a simple installation for use — dramatically lowering the attack threshold.
2.2 Three Core Risks
CNCERT identified three key risks of using godmode-type jailbreak Skills:
Legal Risk: Once such Skills are used, the model may directly output instructions for manufacturing dangerous items or conducting cyberattacks. Acting upon or distributing such content can lead to direct legal accountability. The Interim Measures for the Administration of Generative AI Services and related laws explicitly define legal responsibilities for generating or disseminating illegal content via AI.
Economic Loss Risk: Mainstream large model providers prohibit jailbreak activity and have developed robust anomaly detection systems. Using such Skills can easily trigger account suspensions, permanently disabling user access. Purchased API quotas or subscriptions are typically non-refundable, posing significant financial losses for heavy commercial users.
System Security Risk: Post-jailbreak, model output becomes uncontrolled. Users may unknowingly divulge personal privacy in chats or be induced into performing high-risk actions. More dangerously, the Skill’s auto-jailbreak script directly edits local configuration files — if tampered with, it could introduce trojans, backdoors, and other threats.
3. Case Two: “Bonero-Miner” — A Crypto Mining Trojan in AI Disguise
3.1 The “Private Cryptocurrency” Masquerade
The second malicious Skill CNCERT named is “Bonero-Miner.” It claims to “create a private cryptocurrency for AI Agents,” which sounds innovative, but in reality is a crypto mining trojan variant. The operation is as follows:
- Induce the agent to download an external mining program
- Guide the user to authorize mining-related actions
- Continuously consume CPU, GPU, and memory resources to mine Bonero coins
- Transfer the mined cryptocurrency to an attacker-controlled wallet
3.2 Money Laundering Risk: Ring Signature & Stealth Address
CNCERT emphasized that Bonero (suspected to be a Monero clone/variant) has strong anonymity features such as:
- Ring Signature: The sender’s identity is obscured among multiple possible signers, making the real signer untraceable
- Stealth Address: Each transaction uses a one-time address, preventing linking to the recipient’s real wallet
These cryptographic techniques make both user identity and transaction amounts untraceable. This means a user’s device could unknowingly become part of a money laundering chain — attackers could “launder” illicit funds into seemingly legitimate mining proceeds across numerous victim devices, potentially leaving the actual device owners legally exposed.
3.3 Device Wear and Financial Loss
Beyond legal risks, sustained high-load mining causes direct economic impact:
- Persistent CPU/GPU usage leads to higher power consumption, driving up electricity costs
- Lag and delayed responses, disrupting work and daily use
- Accelerated hardware wear, especially shortening the lifespan of GPUs, SSDs, and other key components
- Prolonged high-load cooling can cause hardware failures or safety incidents
4. CNCERT Security Recommendations
CNCERT offered tailored advice for individuals and enterprises to counter these threats.
4.1 Individual User Recommendations
- Use Official Channels: Only obtain Skills from the agent’s official marketplace or trusted sources; avoid unknown sources
- Reject Jailbreak Tools: Clearly refuse to install any Skill claiming to offer “jailbreak,” “restriction bypass,” or “God Mode” functions
- Minimal Permissions: Grant Skills only necessary permissions and promptly revoke sensitive access
- Regular Cleanup: Periodically remove unused Skills and sensitive conversation records to reduce attack surface
- Multi-Factor Authentication: Enable MFA to protect agent accounts and API keys
4.2 Enterprise User Recommendations
- Whitelist Mechanism: Maintain an approved Skills whitelist with full security reviews before onboarding
- Isolated Deployment: Prefer deployment in isolated network environments, avoiding direct exposure to production
- Tiered Management: Manage agents by data sensitivity, enforcing stricter Skill policies in sensitive contexts
- Data Desensitization: Adopt data masking and temporary authorization to reduce leakage risk
- Behavior Monitoring: Implement runtime monitoring for abnormal network requests, file operations, and resource usage
5. Industry Reflection: Balancing Openness and Security
The issues revealed in this CNCERT bulletin are not isolated to any specific platform or type of Skill, but a systemic challenge the entire AI Agent industry faces amid rapid growth.
Over the past year, from Claude’s Skills mechanism debut to the explosion of open-source Agent frameworks, Skills have become the de facto standard for extending agent functionality. But unlike traditional software plugins, Skills run within agents that have both strong reasoning capability and system access. If maliciously exploited, the damage potential far exceeds that of traditional malware.
The industry must jointly advance security by:
- Platform Level: Establish stricter Skill reviews, sandbox execution, and fine-grained controls over sensitive behaviors (networking, file access, external commands)
- Protocol Level: Standardize Skill security specifications, including signature verification, capability declarations, and permission requests
- Ecosystem Level: Build public reputation systems and vulnerability disclosure ecosystems for Skills with community participation
- Regulatory Level: Clarify legal liabilities for developing/distributing malicious Skills and intensify law enforcement
6. Immediate Steps Users Should Take
Following CNCERT’s warning, all AI Agent users should immediately:
- Check installed Skills and uninstall godmode, Bonero-Miner, and any from unknown sources
- Review device resource usage for abnormal CPU/GPU loads
- Inspect the agent’s network logs for connections to mining pools or suspicious servers
- Change agent platform passwords and regenerate API keys
- Follow CNCERT and official platform security updates
Conclusion
The rapid advancement of AI Agents has brought unprecedented productivity gains, but also new forms of cybersecurity threats. CNCERT’s warning serves as an important industry reminder: security must never be the trade-off for capability expansion. Individuals, enterprises, and platform operators alike must approach the Skills ecosystem with heightened caution to jointly fortify the cybersecurity defenses of the AI era.
References
- ITHome: CNCERT Warns of Jailbreak and Mining Risks in Some AI Agent Skills — ITHome’s detailed report on CNCERT’s bulletin, including the full text and case analysis



