Fake AI Agent Skill Bypasses Scanners, Hits 26,000 Agents

Security researchers at AIR have demonstrated a stark gap in AI agent supply chain defenses by publishing a malicious-looking skill that sailed past every scanner it was tested against and was installed by roughly 26,000 agents, including some running on corporate accounts. The skill, named brand-landingpage, was marketed through a sponsored Instagram ad aimed at marketers, salespeople, and designers, and was submitted to a popular skill marketplace repository with around 36,000 GitHub stars. Because the submission was merged upstream, the skill automatically inherited the credibility of the host repository, making it appear trustworthy even to technical reviewers.

The attack hinged on a simple but effective blind spot. The skill, Cisco's scanner, NVIDIA's scanner, and the three scanners wired into skills.sh all analyze the static package submitted to them, primarily the SKILL.md manifest and any bundled files. AIR's skill carried no malicious setup instructions of its own. Instead, it instructed the agent to install the "Stitch SDK" by following documentation hosted at stitch-design.ai, a domain registered and controlled by AIR, not Google, whose real Stitch product lives at stitch.withgoogle.com. A WHOIS lookup on the fake domain would have immediately revealed it was freshly registered and unaffiliated with Google, the kind of signal scanners are not currently built to cross-reference. The external page initially pointed agents to the genuine Stitch documentation, so every scanner saw a clean package directing users to a plausible, legitimate setup page and cleared it for distribution.

Once the skill reached sufficient install volume, AIR swapped the content behind the link. The updated documentation instructed the agent to download and execute a script. In the controlled demo, the script simply exfiltrated the user's email address back to AIR, which is how the firm tallied its 26,000-agent reach. A real attacker exploiting the same foothold could have instructed the agent to read local files, exfiltrate data, or pivot into internal systems accessible from the agent's runtime, with no further user interaction required. AIR is not the first to surface this weakness. Three weeks earlier, Trail of Bits demonstrated a bypass of ClawHub's malicious-skill detector alongside Cisco's scanner and all three skills.sh scanners, concluding bluntly that a scanner evaluates a fixed package while an attacker can iterate the payload until it passes review. Threat actors have reportedly been using this exact pattern for months: keep the submitted skill clean and host the real payload on a site the agent only fetches at install or first run, where scanning never reaches.

The structural failure is clear. Skill marketplaces perform a one-time scan at submission, but the external pages those skills point to can be rewritten at any moment, effectively turning every approved skill into a potential time-delayed supply chain compromise. Security teams deploying agent skills at scale should verify the domains referenced in SKILL.md manifests using a SSL and certificate checker to confirm ownership and legitimacy, and treat any skill that defers critical setup logic to an external URL as high risk. As the AIR research shows, GitHub stars, scanner verdicts, and marketplace reputation are not enough when the payload lives one redirect away from everything those trust signals are designed to evaluate.