AIR — Fake AI Agent Skill Bypassed All Scanners, Reached 26,000 Agents

AI relevance: Agent skill marketplaces are the new software supply chain — a single malicious skill can silently exfiltrate data from thousands of AI agents running with user-level authority, and current scanners cannot detect post-review payload swaps.

• Security firm AIR built a fake AI agent skill named brand-landingpage, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents including some on corporate accounts.
• Every skill security scanner tested — including Cisco's AI Defense scanner, NVIDIA's SkillSpector, and scanners wired into skills.sh — marked the malicious skill as safe.
• The payload was harmless by design: it collected the user's email address and did nothing else. The point was to demonstrate that none of the trust signals caught it.
• The skill claimed to build a landing page using Google's Stitch design tool and targeted non-technical users (marketers, salespeople, designers).
• To establish credibility, AIR opened a pull request to a skill marketplace repository with ~36,000 stars so the skill inherited the repo's star count as a trust signal.
• The skill carried no malicious setup instructions itself — it told the agent to install the "Stitch SDK" by following documentation at an external domain (stitch-design.ai) controlled by AIR, not Google.
• Initially the link pointed to genuine Stitch docs, so scanners cleared the package. After wide installation, AIR swapped the page behind the link to instruct agents to download and run a script that exfiltrated user email addresses.
• The vulnerability is structural: scanners analyze the submitted package in isolation, but the external URL a skill points to can be rewritten at any time after the scan clears.
• Trail of Bits independently demonstrated the same bypass three weeks earlier, concluding that "a scanner checks a fixed package, while an attacker can keep tweaking the payload until it passes."
• Real campaigns have used this exact technique for months — keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install time.

Why it matters

AI agent skills execute with roughly the authority of a user prompt. When a skill points to an external URL, the agent fetches and follows those instructions with full access to the agent's operational context — file systems, shells, credential managers. The scan happens once, but the page can be rewritten at any time. This is the same class of supply-chain vulnerability that affected npm packages and browser extensions, now weaponized against AI agents that act on behalf of users.

What to do

• Treat skills as software, not text: vet what a skill points to, not just what ships inside the submitted package.
• Route new skills through a single source you control and re-check them when anything changes — a clean result at install does not stay clean if the skill phones out to an external link.
• Pin skill versions and hold agents to least privilege. Assume any external instruction an agent fetches runs with the agent's full access.
• Audit installed skills across your organization: find what is already running before attackers exploit the same gap.
• Monitor agent network activity for unexpected outbound connections to domains not in your allowlist.

Sources:

• The Hacker News — Fake AI Agent Skill Disclosure
• AIR Security — Research Blog
• Trail of Bits — Skill Scanner Bypass
• NVIDIA SkillSpector — Open Source Scanner
• Cisco AI Defense Skill Scanner