Fake AI Agent Skill Evades All Security Scanners, Reaches 26,000 Agents in Supply Chain Proof-of-Concept
Security firm AIR created a fake AI agent skill that passed every tested security scanner and reached roughly 26,000 agents via a popular marketplace and Instagram ad, exposing critical gaps in AI agent supply chain vetting.
Security firm AIR has demonstrated a troubling vulnerability in the AI agent ecosystem by creating a fake skill that bypassed every security scanner it was tested against and reached approximately 26,000 agents, including those on corporate accounts. The proof-of-concept skill was distributed through a popular skill marketplace and an Instagram advertisement, highlighting how easily malicious actors could infiltrate the rapidly growing AI agent supply chain.
The skill's payload was intentionally harmless—it collected only the user's email address—but the researchers designed it to prove a point: current vetting mechanisms are woefully inadequate. Every skill security scanner the firm tested marked the skill as safe, meaning a real attacker could have deployed a skill that exfiltrates sensitive data, executes unauthorized actions, or serves as a foothold for deeper compromise without detection.
The attack vector exploits the trust users place in skill marketplaces, which are increasingly central to AI agent ecosystems. As AI agents gain the ability to execute code, access files, and interact with other services, the risk of supply-chain attacks mirrors the software supply-chain crisis that has plagued traditional development. The AIR research demonstrates that the same class of problems—untrusted third-party components, insufficient vetting, and lack of runtime monitoring—now applies to AI agents.
AIR's findings come at a time when enterprises are rapidly deploying AI agents for tasks ranging from customer support to code generation. The ability to reach corporate accounts through a skill that evades security scanners means that attackers could potentially gain access to internal systems, steal proprietary data, or pivot to other targets within an organization. The Instagram ad component further underscores the sophistication of the distribution method, as social media platforms are not traditionally associated with AI agent skill distribution.
No specific CVE identifiers were assigned to this research, as it is a proof-of-concept rather than a vulnerability in a specific product. However, the implications are broad: any platform that hosts AI agent skills—whether from major tech companies or smaller providers—could be vulnerable to similar attacks. The research calls for industry-wide standards for skill vetting, including dynamic analysis, behavioral monitoring, and reputation systems.
In response to the findings, several skill marketplace operators have reportedly begun reviewing their security practices, though no immediate patches or mitigations have been announced. The AIR team recommends that organizations deploying AI agents implement strict access controls, monitor agent behavior for anomalies, and treat all third-party skills as untrusted until proven otherwise.
This proof-of-concept serves as a wake-up call for the AI industry, which has focused heavily on model safety and alignment but has paid less attention to the operational security of the ecosystems in which these models operate. As AI agents become more autonomous and more deeply integrated into business processes, the supply-chain risks highlighted by AIR will only grow more urgent.