Security Research Exposes How Fake AI Agent Skills Bypass Multiple Scanners
Key Takeaways
- ▸Static security scanning of AI agent skills is insufficient—malicious payloads can be hosted externally and modified after security approval
- ▸All tested commercial security scanners (Cisco, NVIDIA, skills.sh) failed to detect this threat, indicating systemic gaps in AI security tooling
- ▸AI agent skills are executable dependencies with the same supply chain risks as third-party software packages, but are rarely governed with equivalent rigor
Summary
A security research team at AIR conducted an experiment demonstrating a critical vulnerability in how AI agent skills are vetted and deployed. The team created a fake skill called 'brand-landingpage' designed to appeal to non-technical corporate users (marketers, salespeople, designers) and successfully submitted it to a popular open-source agents repository with 36,000 GitHub stars. The malicious skill passed security reviews from scanners produced by Cisco, NVIDIA, and skills.sh, despite employing a sophisticated technique that avoided detection: it instructed users to download an SDK from stitch-design.ai (a controlled fake domain) instead of Google's legitimate stitch.withgoogle.com domain.
Once deployed and reaching over 26,000 users through Instagram promotion, AIR changed the payload behind the fake domain, demonstrating that static security scanning cannot detect post-deployment attacks. Some of the agents using this skill were tied to corporate accounts. The test payload collected only email addresses for notification, but AIR demonstrated how the same technique could have been used to compromise machines and access private conversations. The research reveals a fundamental architectural gap: current security scanners analyze only packaged files at approval time, leaving enterprises vulnerable to 'living' dependencies that can change after trust has been granted.
- Enterprises must implement continuous runtime validation and strict access controls for agent skills, not rely on one-time approval scanning
Editorial Opinion
This research exposes a critical blind spot in enterprise AI governance. As organizations rapidly adopt AI agents, security teams are treating skills as static configuration files when they are actually executable instruction bundles that can be modified after deployment. The failure of multiple commercial scanners suggests the entire industry is using insufficient threat models for agent security. Companies must shift from approval-time scanning to runtime monitoring, treating agent skills as 'living third-party dependencies' subject to the same governance rigor as open-source packages and SaaS integrations.



