← Back to blog

Malicious AI Agent Skill Bypasses Security Scanners, Reaches 26K Deployments

Security researchers demonstrated a critical gap in AI agent skill marketplaces by deploying a fake skill that evaded all security scanners and reached approximately 26,000 agents, including corporate deployments. The proof-of-concept highlights how current detection mechanisms fail to catch malicious agent capabilities before distribution.

TL;DR

  • A fake AI agent skill bypassed every security scanner tested and was distributed to ~26,000 agents via marketplace and social media
  • The payload collected user email addresses undetected, proving current security tools have significant blind spots
  • Corporate accounts were among the affected deployments, indicating enterprise risk exposure
  • AI skill marketplaces lack adequate vetting mechanisms comparable to traditional app store security standards

Security researchers at AIR have exposed a significant vulnerability in AI agent skill distribution channels by successfully deploying a malicious skill that bypassed every security scanner in the marketplace ecosystem. The proof-of-concept skill reached approximately 26,000 agent deployments, including installations on corporate accounts, before being disclosed.

The experiment revealed that current security scanning tools lack the sophistication to detect harmful agent capabilities. The researchers' payload was intentionally benign—collecting only email addresses—but the ease with which it evaded detection demonstrates a critical gap in supply chain security for AI agent ecosystems.

This finding raises urgent questions about the security maturity of AI agent marketplaces and the adequacy of current vetting processes for third-party skills and integrations.

How the Malicious Skill Bypassed Detection

  • Every security scanner tested marked the fake skill as safe despite containing a data collection payload
  • The skill was distributed through both the official marketplace and Instagram advertising channels
  • Detection evasion suggests scanners rely on signature-based or shallow behavioral analysis rather than deep capability inspection
  • The proof-of-concept demonstrates attackers can likely craft more sophisticated payloads that would also pass current checks

Enterprise and Supply Chain Risk Implications

  • Corporate accounts were among the 26,000 affected deployments, indicating enterprise-level exposure
  • AI agent skills function similarly to plugins or extensions, making them a high-value attack vector for credential harvesting and data exfiltration
  • Organizations lack visibility into which third-party skills are installed across their agent deployments
  • Current marketplace vetting processes are insufficient compared to security standards in traditional software distribution channels

Recommended Security Practices

  • Implement strict allowlisting policies for approved AI agent skills in enterprise environments
  • Require additional security review and sandboxing for skills accessing sensitive data or user information
  • Establish monitoring and logging for all skill installations and data access patterns
  • Demand that marketplace operators implement multi-layer security scanning and human review processes

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Malicious AI Agent Skill Bypasses Security Scanners, Reaches 26K Deployments — Agent Breach Blog | Agent Breach