Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Staff Editor 2026-06-23
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html

Publish Date: 2026-06-23 11:16:00

Source Domain: thehackernews.com

Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts.

Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user’s email address and did nothing else.

The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation.

A skill is a bundle of instructions an agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the whole problem, and it is the reason skill-scanning tools exist in the first place.

The skill, named brand-landingpage, claimed to build a landing page using Google’s Stitch design tool, aimed squarely at non-technical users.

To make it look credible, AIR went after two trust signals: GitHub stars and a clean scanner verdict. For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills.

The pull request was merged after a few days, so the skill inherited the repo’s count. Then it ran an Instagram ad aimed at marketers, salespeople, and designers, who installed it and put it to work.

Why the scanners missed it

The scanners AIR tested analyze the package you hand them: the SKILL.md and the files shipped with it. That’s Cisco’s, NVIDIA’s, and the ones wired into skills.sh.

AIR’s skill carried no setup instructions of its own. It told the agent to install the “Stitch SDK” by following the documentation at an external link, stitch-design.ai, a domain AIR controls, not Google (the real Stitch lives at stitch.withgoogle.com).

At first, the link led to the genuine Stitch docs, so the scanners, seeing a clean package that pointed at a plausible setup page, cleared it. The page the agent would actually fetch and follow sat outside the scan.

Source

More Stories

Hotels have a new AI cybersecurity problem. Here’s what to know.

Hotels have a new AI cybersecurity problem. Here’s what to know.

Staff Editor 2026-06-23
Cybersecurity experts: Old threats growing more dangerous in the age of AI

Cybersecurity experts: Old threats growing more dangerous in the age of AI

Staff Editor 2026-06-23
White House PQC order ‘lights a fire’ under post-quantum transition

White House PQC order ‘lights a fire’ under post-quantum transition

Staff Editor 2026-06-23

Terms and Conditions - Privacy Policy