In June 2026, a security firm called AIR spent under an hour building a fake AI agent skill, then handed it to the exact tools meant to stop it. Cisco’s scanner, Nvidia’s, the ones built into skills.sh — all certified it safe. It carried a marketplace’s worth of GitHub stars and spread through a single Instagram ad. By AIR’s count it reached 26,000 agents, some on corporate accounts. None of that is the interesting part. The interesting part is that everything those scanners approved was, at the moment they looked at it, genuinely safe — and stayed safe right up until AIR decided otherwise.
A skill is packaged instructions you hand an agent — a reusable playbook for a specialised task. A year ago they were a developer toy. Now salespeople, marketers and designers trade them in public marketplaces and pass them around offices. The mechanic that matters: a skill loads into the agent’s context and is followed with roughly the authority of a user prompt. Installing one grants a stranger’s instructions the same trust you give your own commands. Every scanner on the market exists because of that fact, and AIR’s experiment shows they are checking the wrong half of the problem.
Researchers Niv Hoffman and Or Nevo picked a bait with mass, non-technical appeal. Google’s Stitch design tool had just launched, so they shipped brand-landingpage: a no-code skill that defines a brand’s visual direction and spits out a deployable landing page via Stitch. It worked. They used it to build their own landing page to prove it. That is the trap — a tool that delivers real value invites zero suspicion, and the working functionality was the cover for everything underneath it.
Two signals decide whether people trust a skill: its GitHub star count and a clean scanner verdict. AIR forged both.
The stars came free. Most plugin marketplaces are just GitHub repos bundling other people’s plugins, and many take open contributions. AIR found one called agents — about 36,000 stars, 156 skills, a welcoming contribution policy — opened a pull request, and waited. It got merged. The moment it did, brand-landingpage was wearing the reputation of roughly 37,000 stars it had earned none of.
Distribution came from a single Instagram ad aimed at marketers, salespeople and designers — the non-technical crowd now finding AI tooling through social feeds instead of developer channels. They installed it and put it to work.
There is a whole product category built to catch malicious skills, and AIR’s skill passed all of it: Cisco’s scanner, Nvidia’s, and every scanner wired into skills.sh. No bug was involved. They exploited the design assumption every one of these tools shares.
Scanners read the submitted package — the SKILL.md and the files shipped with it — through static heuristics and an LLM pass. But a skill’s real content isn’t confined to those files. Skills constantly send the agent out to an external URL for documentation, an API reference or a setup guide, and tell it to read and follow whatever is there. The agent treats that fetched content with the same authority as the skill. So the scanner reviews a fraction of what the skill actually does and signs off on the rest sight unseen.
brand-landingpage carried no setup instructions of its own. It told the agent to install a “Stitch SDK” by following documentation linked in the skill’s footer at stitch-design.ai. That domain belongs to AIR. Google’s real Stitch is at stitch.withgoogle.com — a lookalike no non-technical installer is going to scrutinise. AIR initially pointed it at the genuine Stitch docs, so scanners saw a clean package referencing a plausible, harmless setup page and cleared it. The malicious content simply wasn’t present at scan time, because it lived behind a link the scanner neither controls nor revisits.
Once the skill was vetted, starred, downloaded and live across multiple marketplaces, AIR swapped the page behind stitch-design.ai. The replacement told every agent that fetched it to download and run a script. Here it only harvested an email; the same foothold could read local files, exfiltrate data, or pivot into any internal system the agent could reach, capped only by the agent’s permissions. Victim emails started arriving within a short window. The installed package never changed. The instructions it pointed at did.
The 26,000 figure, the corporate-account claim and the “we could have owned every agent” line are all AIR’s own, unverified, and the firm is launching a managed skill marketplace it pitches at the end of the same write-up. There is an obvious incentive to make the result hit hard.
The method survives the scepticism regardless. Trail of Bits demonstrated the identical structural weakness three weeks earlier — clean package, externally hosted payload, swap after review. Anthropic’s own docs warn that skills fetching external URLs are dangerous for exactly this reason: the content can change after vetting. Real campaigns have run the trick for months. Whether the true count is 26,000 or a tenth of it, the hole is real and nobody has patched it, because it isn’t a bug to patch — it is how one-time static scanning works.
Skills are software, and the controls that work are the ones you already apply to third-party software. Specifically:
Scan the destinations, not just the package. Any review has to account for every external URL a skill sends the agent to, because that is where the payload hides. A verdict based on bundled files alone is, by AIR’s own phrasing, irrelevant by design.
Treat a clean scan as perishable. A check at install proves nothing about what an external dependency serves a week later. Re-validate linked content on a schedule and on change; pin versions so a swapped dependency forces another review.
One managed entry point. Staff pull skills from marketplaces, GitHub, a colleague’s copy-paste — none of which give you an inventory or a kill switch. Route everything through a single source you control, where each skill is approved before it runs.
Least privilege on every agent. A compromised skill inherits exactly the access its host agent has. Narrow that, and you cap the blast radius before anything goes wrong.
The unglamorous first step is inventory: knowing which skills, MCP servers and add-ons are running across the business today and what each can reach. Most organisations cannot answer that question right now, and the staff installing these tools — marketers, analysts, designers running agents with real autonomy over real data — went through no review to do it. That is the exposure. The skill that passes every check and then changes its mind is only dangerous because the pipeline feeding it was never governed in the first place.
AIR’s full account is in their write-up, “The Story of Skills”, on the AIR site.
