BotBeat
...
← Back

> ▌

AIR BlackboxAIR Blackbox
RESEARCHAIR Blackbox2026-07-04

Security Research Exposes How Fake AI Agent Skills Bypass Multiple Scanners

Key Takeaways

  • ▸Static security scanning of AI agent skills is insufficient—malicious payloads can be hosted externally and modified after security approval
  • ▸All tested commercial security scanners (Cisco, NVIDIA, skills.sh) failed to detect this threat, indicating systemic gaps in AI security tooling
  • ▸AI agent skills are executable dependencies with the same supply chain risks as third-party software packages, but are rarely governed with equivalent rigor
Source:
Hacker Newshttps://www.csoonline.com/article/4188840/how-a-malicious-ai-agent-skill-passed-security-checks-and-reached-26000-users.html↗

Summary

A security research team at AIR conducted an experiment demonstrating a critical vulnerability in how AI agent skills are vetted and deployed. The team created a fake skill called 'brand-landingpage' designed to appeal to non-technical corporate users (marketers, salespeople, designers) and successfully submitted it to a popular open-source agents repository with 36,000 GitHub stars. The malicious skill passed security reviews from scanners produced by Cisco, NVIDIA, and skills.sh, despite employing a sophisticated technique that avoided detection: it instructed users to download an SDK from stitch-design.ai (a controlled fake domain) instead of Google's legitimate stitch.withgoogle.com domain.

Once deployed and reaching over 26,000 users through Instagram promotion, AIR changed the payload behind the fake domain, demonstrating that static security scanning cannot detect post-deployment attacks. Some of the agents using this skill were tied to corporate accounts. The test payload collected only email addresses for notification, but AIR demonstrated how the same technique could have been used to compromise machines and access private conversations. The research reveals a fundamental architectural gap: current security scanners analyze only packaged files at approval time, leaving enterprises vulnerable to 'living' dependencies that can change after trust has been granted.

  • Enterprises must implement continuous runtime validation and strict access controls for agent skills, not rely on one-time approval scanning

Editorial Opinion

This research exposes a critical blind spot in enterprise AI governance. As organizations rapidly adopt AI agents, security teams are treating skills as static configuration files when they are actually executable instruction bundles that can be modified after deployment. The failure of multiple commercial scanners suggests the entire industry is using insufficient threat models for agent security. Companies must shift from approval-time scanning to runtime monitoring, treating agent skills as 'living third-party dependencies' subject to the same governance rigor as open-source packages and SaaS integrations.

AI AgentsMachine LearningCybersecurityAI Safety & AlignmentPrivacy & Data

More from AIR Blackbox

AIR BlackboxAIR Blackbox
OPEN SOURCE

New Open-Source Tool Reveals 97% of Major AI Agent Projects Fail EU AI Act Compliance

2026-03-04

Comments

Suggested

AI Industry (Analysis & Commentary)AI Industry (Analysis & Commentary)
POLICY & REGULATION

Senate Proposes Federal Framework for Trustworthy AI Agent Providers

2026-07-04
Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Research Launches TabFM, A Zero-Shot Foundation Model for Tabular Data

2026-07-04
Woodside EnergyWoodside Energy
INDUSTRY REPORT

From Exploration to Operations: How Woodside Energy Is Scaling AI Across Industrial Systems

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us