Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts.
Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user’s email address and did nothing else.
The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation.
A skill is a bundle of instructions an agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the whole problem, and it is the reason skill-scanning tools exist in the first place.
The skill, named brand-landingpage, claimed to build a landing page using Google’s Stitch design tool, aimed squarely at non-technical users.
To make it look credible, AIR went after two trust signals: GitHub stars and a clean scanner verdict. For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills.
The pull request was merged after a few days, so the skill inherited the repo’s count. Then it ran an Instagram ad aimed at marketers, salespeople, and designers, who installed it and put it to work.
Why the scanners missed it
The scanners AIR tested analyze the package you hand them: the SKILL.md and the files shipped with it. That’s Cisco’s, NVIDIA’s, and the ones wired into skills.sh.
AIR’s skill carried no setup instructions of its own. It told the agent to install the “Stitch SDK” by following the documentation at an external link, stitch-design.ai, a domain AIR controls, not Google (the real Stitch lives at stitch.withgoogle.com).
At first, the link led to the genuine Stitch docs, so the scanners, seeing a clean package that pointed at a plausible setup page, cleared it. The page the agent would actually fetch and follow sat outside the scan.
Once the skill was installed widely, AIR swapped the page behind that link. The new version told the agent to download and run a script.
In the demo, it only mailed the user’s address back to AIR, which is how the firm counted the agents it reached. A real operator could have used that foothold to read files, move data, or hit internal systems, bounded only by what the agent could reach.
AIR is not the first to show this. Three weeks earlier, Trail of Bits bypassed ClawHub’s malicious-skill detector, Cisco’s scanner, and all three scanners wired into skills.sh. Its conclusion was blunt: a scanner checks a fixed package, while an attacker can keep tweaking the payload until it passes.
Real campaigns have used the same trick for months, keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install.
The problem is structural: the scan happens once, but the page a skill points the agent to can be rewritten at any time after. Anthropic’s ownÂ
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
