al-ice.ai

AIR — Malicious AI Agent Skill Bypassed Cisco, NVIDIA Scanners, Reached 26,000 Users

Security by al-ice.ai Editorial

AI relevance: AI agent skills are executable instruction bundles that direct how agents operate and route data — this research proves current static scanners cannot detect skills that weaponize external web resources after passing review.

  • AI risk firm AIR published a detailed case study of a malicious agent skill called brand-landingpage that passed security scanners from Cisco, NVIDIA, and skills.sh before reaching 26,000 users via Instagram ads.
  • The skill appeared to help users build landing pages with Google's Stitch design tool. It was submitted to a popular open-source agents repository (~36,000 GitHub stars, 156 skills) and merged after a few days.
  • The malicious technique didn't rely on suspicious code in submitted files. Instead, the skill instructed agents to set up a Stitch SDK by following installation instructions hosted at stitch-design.ai — a domain controlled by AIR, not Google.
  • AIR configured the fake domain to redirect to the real Stitch site, making the issue difficult to detect from static review alone. After gaining distribution, they changed the content behind the fake documentation to instruct agents to download and run a script.
  • All three scanners — Cisco, NVIDIA, and skills.sh — marked the skill as safe. The scanners analyze the skill's SKILL.md and bundled resources using static heuristics and LLM agents, but cannot detect skills that point agents to web pages that change later.
  • Some of the agents involved were tied to corporate accounts. AIR said a similar attack could have exposed private conversations and internal systems.
  • Security researchers emphasized that AI agent skills must be treated as "living third-party dependencies" — executable instruction bundles that require continuous validation and strict runtime controls, not one-time static scans.

Why It Matters

This is the first public demonstration that multiple production-grade agent skill scanners can be bypassed simultaneously using a technique that requires no malicious code in the skill files themselves. The attack exploits a fundamental gap: current scanners assess the skill at the time of review, but the skill's behavior can change at any time by modifying the external web resource it references. For enterprises deploying AI agents at scale, this means the supply-chain risk from agent skills is qualitatively different from traditional code supply-chain attacks — the "code" is natural language instructions that can delegate execution to arbitrary external resources.

What to Do

  • Inventory every AI agent skill deployed across your organization, including which external resources each skill references.
  • Implement runtime controls that restrict what agents can do — network egress, file system access, credential visibility — regardless of what a skill instructs.
  • Treat agent skills as third-party software dependencies with continuous monitoring, not one-time approval. Re-validate skills periodically and monitor the external resources they reference.
  • Block or proxy agent network requests to unapproved domains. The brand-landingpage skill would have been contained if agents couldn't freely reach attacker-controlled domains.

CSO Online: How a malicious AI agent skill passed security checks and reached 26,000 users

AIR: The Story of Skills