An imitation AI agent skill successfully bypassed all security scanners and is said to have reached 26,000 agents.

An imitation AI agent skill successfully bypassed all security scanners and is said to have reached 26,000 agents.

      TL;DR: The security firm AIR created a fake AI agent skill that successfully bypassed all major scanners and claims it reached around 26,000 agents by changing an external URL post-scan clearance. AIR developed a deceptive AI skill, introduced it into a popular skill marketplace, and used an Instagram ad to promote it, reportedly attracting approximately 26,000 agents, including some corporate users. Every security scanner tested deemed it safe. While the payload was intentionally benign and only collected email addresses, AIR notes that a malicious actor could exploit this entry point to access files, transfer data, or infiltrate internal systems.

      The skill, named brand-landingpage, pretended to create a landing page using Google’s Stitch design tool and was targeted at non-technical users. To enhance its credibility, AIR employed two trust signals that the ecosystem considers indications of safety: GitHub stars and a favorable scanner verdict.

      To acquire stars, it submitted a pull request to a skill marketplace repository that had roughly 36,000 stars and 156 skills, which was merged in a few days, allowing the skill to inherit this star count. Subsequently, AIR ran an Instagram advertisement directed at marketers, sales professionals, and designers, who then installed and utilized it.

      The scanners tested by AIR evaluate the submitted package, which includes the skill definition file and accompanying materials, utilizing tools from companies like Cisco and NVIDIA, as well as those from major skill registries. AIR's skill did not contain any malicious setup instructions but directed the agent to install the “Stitch SDK” by referencing documentation at an external URL it controlled, rather than the legitimate Google site.

      Initially, the link directed users to the actual Stitch documentation, allowing the scanners to identify a legitimate package pointing to a valid setup page and approve it. However, the link was later changed to direct the agent to a page that instructed it to download and execute a script.

      This technique is not novel. Just weeks prior to AIR's results, Trail of Bits successfully evaded ClawHub’s malicious skill detector, Cisco's scanner, and all major skill registry scanners. They concluded that scanners evaluate a fixed package while attackers can modify the payload until it passes.

      Real-life campaigns have employed this method for months, ensuring the submitted skill remains clean while hosting the payload on a site accessed only during installation.

      The issue is systemic; the scan occurs only once, yet the page a skill directs the agent to can be altered at any point afterward. Anthropic’s own guides caution that skills accessing external URLs are dangerous for this very reason, as the content can shift post-vetting.

      Recent research found that seven major scanners commonly agree on less than one out of five hundred combined flags, since each scanner evaluates skills individually, unaware of external links and subsequent changes post-review.

      The reported scale figures are solely from AIR and should be viewed with skepticism, as the firm is launching a managed skill marketplace and concludes its report with a promotional pitch. Consequently, the claims of 26,000 agents, corporate accounts, and the potential for complete control over all agents are not independently verified. However, the method is validated: the identified scanners indeed assess only the submitted package, the blind spot regarding external links is genuine and has been demonstrated independently, and the trust signals AIR manipulated, including stars and a clean scan, are the very ones the ecosystem still regards as credible.

      The experiment highlights the vulnerabilities in trust signals associated with agent skills: borrowable stars, a scan evaluating a snapshot, and links that can be altered post-verification. Regardless of whether the actual figure is 26,000 or a smaller number, the loophole it exploits remains one that defenders have yet to address effectively.

      For security teams, the key takeaway aligns with findings from researchers: treat skills as software, not merely text. Assess what a skill references, not just what it contains. Route new skills through a controlled source, re-evaluate them with any changes, fix versions, and ensure agents operate on the principle of least privilege.

Other articles

The creator of ChatGPT aims to reduce the security risks associated with open-source projects. The creator of ChatGPT aims to reduce the security risks associated with open-source projects. With an influx of low-quality bug reports from AI tools overwhelming open-source maintainers, OpenAI's new initiative, Patch the Planet, seeks to sift through the clutter and address genuine issues. Anthropic introduces Claude Tag, a perpetual AI assistant that resides in your Slack channels. Anthropic introduces Claude Tag, a perpetual AI assistant that resides in your Slack channels. Anthropic has introduced Claude Tag in a research preview, an AI that is always active, monitors Slack conversations, understands company context, and actively highlights updates. Enhance Your Everyday Routine: Top Laifen Prime Day Offers You Should Check Out Now Enhance Your Everyday Routine: Top Laifen Prime Day Offers You Should Check Out Now Prime Day has transformed into more than just a shopping occasion. For numerous consumers, it's a chance to invest in items that truly enhance daily living. Although televisions, laptops, and smart home devices frequently grab the spotlight, some of the most significant purchases are those that are utilized every day. This is precisely where Laifen comes in... EXCLUSIVE: Rock Burwell, the composer of Obsession, discusses the eerie soundtrack of the horror sensation. EXCLUSIVE: Rock Burwell, the composer of Obsession, discusses the eerie soundtrack of the horror sensation. In a unique interview with Digital Trends, Rock Burwell, the composer for Obsession, talks about crafting the chilling score for the horror sensation, the awards campaign, and his future collaborations with director Curry Barker. I searched for the top Prime Day deals on Google hardware, and here are the standout selections. I searched for the top Prime Day deals on Google hardware, and here are the standout selections. Prime Day 2026 is offering some unexpectedly great discounts on Google products. From the Pixel 10 series and Nest cameras to the Pixel Watch 4 and Google TV Streamer, these are the deals you should take advantage of before the sale concludes on June 26. Beyond the Sale: How Laifen is Making Luxury Self-Care Attainable This Prime Day Beyond the Sale: How Laifen is Making Luxury Self-Care Attainable This Prime Day The most effective upgrades don’t necessarily lead to immediate, life-altering changes. Instead, they tend to be the minor enhancements we incorporate into our daily routines. This includes how we begin our mornings, the habits that boost our confidence before we leave our homes, and the rituals that help us relax […]

An imitation AI agent skill successfully bypassed all security scanners and is said to have reached 26,000 agents.

The security company AIR created a safe counterfeit skill that was cleared by scanners from Cisco and NVIDIA, claiming it reached 26,000 agents and highlighting a gap in the vetting process of skills.