The company AIR Security conducted an experiment that demonstrated a structural vulnerability in the skill ecosystem for AI agents: a fake skill passed all tested security scanners, including Cisco and NVIDIA tools, because the malicious logic was hosted on an external resource that the scanners do not analyze. The issue affects everyone using AI agents with pluggable skills from marketplaces: scanners check only the contents of the package at submission time, while the content behind external links can be replaced at any moment after the review. Organizations need to rethink how they trust agent skills and implement control over external dependencies.
Experiment mechanics
The skill named brand-landingpage was positioned as a tool for creating landing pages with Google Stitch and targeted non-technical users — marketers, salespeople, and designers. According to AIR, the researchers used two key trust signals to lend legitimacy:
- GitHub stars: the skill was added via a pull request to a popular marketplace repository with roughly 36,000 stars and 156 skills. Once the PR was merged, the skill inherited the reputation of the entire repository.
- Clean scanner verdict: the package contained no malicious code — only an instruction for the agent to install the “Stitch SDK” by following documentation at an external link.
The key element of the attack was the domain stitch-design.ai, controlled by AIR, not by Google (the real Stitch service is located at stitch.withgoogle.com). Initially, the address hosted authentic Stitch documentation, which led scanners to classify the package as safe. After the skill was distributed via Instagram ads, the page content was replaced with instructions directing the agent to download and execute a script.
A skill is a set of instructions that an agent loads into its context and executes with privileges comparable to a user request. As the Anthropic documentation notes, skills that access external URLs are risky precisely because the content at the link can change after passing review.
Why the scanners did not detect the threat
The tested scanners — Cisco skill-scanner, NVIDIA Skillspector, and the scanners integrated into skills.sh — analyze only the contents of the submitted package: the SKILL.md file and accompanying files. External resources referenced by the skill remain outside the scope of the review.
The problem is structural: the check is performed once at submission time, while the page the skill directs the agent to can be rewritten at any moment. This is a classic delayed payload swap pattern, well known in the context of software supply chain attacks.
Independent confirmation of the issue
The AIR experiment is not an isolated observation. Three weeks earlier, Trail of Bits published research in which they bypassed the ClawHub malicious skill detector, the Cisco scanner, and all three scanners integrated into skills.sh. Trail of Bits’ conclusion was straightforward: the scanner checks a fixed package, while an attacker can iteratively adjust the payload until it passes review.
A separate study showed that scanners often disagree in their assessments because each analyzes a skill in isolation, without accounting for external links and possible changes after the review.
Impact assessment and caveats
It is important to consider the publication context: AIR is launching its own managed skill marketplace and ends the report by promoting it. The claimed reach and details about corporate accounts have not been independently verified. The source material correctly notes that these figures should be read with appropriate skepticism.
However, the attack method has been independently confirmed and represents a real threat. Potential consequences in a malicious scenario include reading files, moving data, and accessing internal systems — within the permissions available to the agent. The highest risk is for organizations where employees independently install skills for AI agents without centralized control, especially in marketing, design, and sales departments, which were the target of the ad campaign.
Recommendations for defense
- Inventory: determine which skills are already installed and running in the organization’s agents. According to the researchers, most of them were installed without any review.
- Centralized control: route the installation of new skills through a single controlled source. Prohibit self-service installation of skills from public marketplaces.
- External dependency review: analyze not only the package contents but also all resources the skill references. Verify domain ownership.
- Revalidation: re-check skills whenever the associated external content changes. A clean result at installation time does not guarantee future safety.
- Version pinning: lock specific versions of skills and their dependencies.
- Least privilege: limit agents to the minimum necessary access rights. Assume that any external instruction loaded by an agent is executed with its privileges.
The AIR experiment did not uncover a new vulnerability in a specific product — it vividly demonstrated how several weak trust signals (borrowed GitHub stars, one-time package scanning, a rewritable external link) combine into a workable supply chain attack vector against AI agents. Organizations using agents with pluggable skills should immediately audit installed skills, implement control over external dependencies, and move to a model where a skill is treated as executable code rather than trusted text.
