A fake AI agent skill passed every security scanner and reportedly reached 26,000 agents


TL;DR

Security firm AIR got a fake skill past every major scanner and says it reached 26,000 agents by swapping an external URL after the scan cleared.

Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and promoted it with an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design, collecting only the user’s email address, but AIR says a real attacker could have used the same foothold to read files, move data, or hit internal systems.

The skill, called brand-landingpage, claimed to build a landing page using Google’s Stitch design tool and was aimed at non-technical users. To make it look credible, AIR went after two trust signals that the ecosystem still treats as proof of safety: GitHub stars and a clean scanner verdict.

For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills. The pull request was merged after a few days, so the skill inherited the repository’s star count. Then AIR ran an Instagram ad targeting marketers, salespeople, and designers, who installed it and put it to work.

The scanners AIR tested analyse the package you hand them, meaning the skill definition file and anything shipped with it. That includes tools from Cisco, NVIDIA, and the ones built into the major skill registries. AIR’s skill carried no malicious setup instructions of its own but told the agent to install the “Stitch SDK” by following documentation at an external link it controlled, not the genuine Google domain.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

At first, the link led to the real Stitch documentation, so the scanners saw a clean package pointing at a plausible setup page and cleared it. The page the agent would actually fetch and follow sat outside the scan. Once the skill was installed widely, AIR swapped the page behind that link to one that told the agent to download and run a script.

The technique is not new. Three weeks before AIR published its results, Trail of Bits bypassed ClawHub’s malicious-skill detector, Cisco’s scanner, and all three scanners built into the major skill registries. Its conclusion was that a scanner checks a fixed package while an attacker can keep tweaking the payload until it passes.

Real campaigns have used the same trick for months, keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install time.

The problem is structural. The scan happens once, but the page a skill points the agent to can be rewritten at any time afterward. Anthropic’s own documentation warns that skills fetching external URLs are risky for exactly this reason, since the content can change after the skill is vetted.

Separate research this year found that seven major scanners agree on fewer than one in five hundred of their combined flags, because each one judges a skill in isolation, blind to external links and to what changes after review.

The scale figures come from AIR alone and deserve a sceptical read. The firm is launching a managed skill marketplace and closes its write-up pitching it, so the 26,000 number, the corporate-account detail, and the claim that it could have seized full control of every agent are not independently confirmed. What holds up is the method: the named scanners really do judge only the submitted package, the external-link blind spot is real and has been independently demonstrated, and the trust signals AIR borrowed, stars and a clean scan, are exactly the ones the ecosystem still treats as proof.

The experiment lines up every weak trust signal around agent skills into one run: stars that can be borrowed, a scan that reads a snapshot, and a link that can be rewritten after the check clears. Whether the real figure is 26,000 or a fraction of it, the gap it walks through is one that defenders still have not closed.

For security teams, the immediate takeaway is the same one researchers keep landing on: treat skills as software, not text, and vet what a skill points to, not just what ships inside it. Route new skills through a single source you control, re-check them when anything changes, pin versions, and hold agents to the least privilege.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft has spent the last several years pushing Copilot and new user interface designs, which has meant that several great features included with Windows don’t get the recognition that they deserve. These are some of my favorites that will run on any Windows 11-compatible PC.

Clipboard history remembers everything you copy

Win+V replaces one of the oldest frustrations in computing

Windows’s default clipboard has been a source of minor but constant annoyance: it holds exactly one thing. If you copy something new, the previous item is wiped out. It is enough of a problem that multiple third-party apps were created to address the shortcoming.

Now, Windows has Clipboard History built in, though it isn’t enabled by default. To turn it on, press Windows+i, then navigate to System > Clipboard, and click the toggle next to Clipboard history.

Once it is enabled, you can press Win+V to view up to 25 items in your clipboard history, including text, images, and links.

If you have specific pieces of information you use daily—like an email signature, a common code snippet, or a home address—you should pin up some of those items. Pinned items persist between system reboots and clipboard history clears, which means you never have to hunt to find something when you need it.

You can even enable sync in the Clipboard settings, allowing your copied text to follow you between different PCs signed in to the same Microsoft account. Once you get into the habit of using Win+V, the standard copy-paste function will feel useless by comparison.

Voice typing actually works now

Win+H lets you write with your voice

Notepad with Windows Voice Typing popup visible.

Windows dictation software has a reputation for being clunky and difficult to use, but that isn’t the case anymore. Thanks to the improvements in AI that we’ve seen since 2024, voice typing accuracy has improved significantly, especially for technical vocabulary. You don’t have to spend your time manually fixing formatting either. The tool supports punctuation commands like “period,” “new line,” and “question mark,” which prevents your text from turning into a rambling mess.

To use voice typing, press Windows+H anywhere there is a text field.

While it isn’t a full replacement for high-end professional software, it is free, built-in, and more than good enough for long-form writing, taking down a sudden idea, or writing quick messages when your hands are full.

Snap layouts make window management effortless

Hover over the maximize button and pick a layout

Notepad with the Windows Snap Layout window visible.

You can manually drag windows to the edges of your screen to split your display up, but you’re doing more work than is necessary in most cases. Windows’ Snap Layouts allow you to instantly arrange your Windows into predefined halves, thirds, or quarters. Just hover over the maximize button on any window or press Win+Z.

One of the most practical aspects of this system is the Snap Group. If you snap a browser and a document side-by-side, Windows remembers them as a pair. When you Alt+Tab, you can bring the entire group back together.

Live captions transcribe any audio on your device

Real-time subtitles for anything you’re watching

You can enable real-time subtitles for any audio playing through your speakers by going to Settings > Accessibility > Captions, or by pressing Win+Ctrl+L. The audio is processed locally on your device; nothing is sent to the cloud, which is critical if you’re privacy conscious or if whatever you’re captioning demands confidentiality.

I’ve mostly taken to using it when it is too hot to wear my headphones. I can just toggle it on and keep watching without disrupting anyone around me.

There are some hardware requirements you need to meet. Basic same-language captioning works on any Windows 11 PC running 22H2 and up, but if you want real-time translation, you will need Copilot+ hardware with an NPU and at least Windows 11 24H2.


The NZXT Capsule Elite USB microphone sitting on a desk.


Windows 11’s voice typing convinced me to skip Wispr Flow and other premium apps

Windows lets me turn my rambling thoughts into notes without typing anything.

Dynamic Lock locks your PC when you walk away

Pair your phone via Bluetooth and your computer can lock itself automatically

I can’t count how many times I’ve stepped away from my PC only to think, “Dang, I forgot to lock my PC.”

Fortunately, Windows has an easy way to handle that automatically by pairing your phone with your PC. When your phone gets out of range (about 20 feet in my house, though your wall materials and layout will affect that), your computer will automatically lock after about 30 seconds. There is no need to install a separate app on your phone, the setup just uses the Bluetooth connection itself. While the 30-second delay means it isn’t a guarantee no one can access my PC, it does mean it won’t remain unlocked if I step away for a long time.

I especially like this feature when I’m working on my laptop in public.

You can enable Dynamic Lock by navigating to Settings > Bluetooth & devices and pairing your phone, then enabling Dynamic Lock in Settings > Accounts > Sign-in options.


Microsoft includes tons of great tools if you dig for them

These tools aren’t alone either. There are tons of practical tools buried in Windows, unappreciated and underutilized.

Each of these tools takes less than a minute to enable, but they can make a significant difference in your day-to-day workflow. It is worth the small investment of time to find them and set them up.

If you’re looking for even more advanced customization options, I’d recommend checking out Microsoft PowerToys. It gives you a huge range of fantastic tools that make Windows much more pleasant to use.



Source link