AIR: Fake Agent Skill Cleared All Scanners, Hit 26,000 Agents

Security researchers at AIR built a fake AI agent skill, got it merged into a popular open-source skill repository, promoted it via Instagram ads, and watched it install on roughly 26,000 agents, including those on corporate accounts, according to The Hacker News. Every scanner the team tested it against cleared it as safe.

The skill was named "brand-landingpage" and claimed to build landing pages using Google's Stitch design tool, a pitch aimed at marketers, salespeople, and designers. To manufacture credibility, AIR submitted a pull request to a skill marketplace repository that already had around 36,000 stars and 156 skills. Once merged, the skill inherited that repository's star count. A targeted Instagram ad then drove installs from non-technical users who had little reason to be skeptical.

The attack unfolded in two phases. Initially, the skill directed agents to install an SDK by following documentation at stitch-design.ai, a domain AIR controlled rather than Google's legitimate stitch.withgoogle.com. At that point the external link pointed to real Stitch documentation, so scanners from Cisco, Nvidia, and skills.sh saw a clean package pointing at a plausible setup page and cleared it. Later, AIR rewrote the content at that domain to instruct agents to download and run a script. The structural flaw is straightforward: a scanner checks a fixed package at submission time, but the page a skill points an agent to can be rewritten at any moment after approval.

For the proof of concept, the script harvested only user email addresses and did nothing else. But the researchers note that a real attacker inheriting full agent permissions could read files, exfiltrate data, or pivot to internal systems. Those 26,000 agents still have the skill installed unless actively removed.

The honest caveat is that AIR sells its own managed marketplace product, so there is a commercial interest in making the finding land hard. What the reporting does not give you is a breakdown of which agent platforms those 26,000 installations ran on, or what the remediation path looks like for organizations already affected. The structural problem the research exposes, that one-time static scanning is blind to post-install mutation of external dependencies, is real and is shared across every marketplace architecture that works this way. The question now is whether scanner vendors extend their models to include continuous external URL monitoring, or whether that gap stays open.