{"id":735148,"date":"2026-06-24T04:50:27","date_gmt":"2026-06-24T01:50:27","guid":{"rendered":"https:\/\/buradabiliyorum.com\/en\/a-fake-ai-agent-skill-passed-every-security-scanner-and-reportedly-reached-26000-agents\/"},"modified":"2026-06-24T04:50:27","modified_gmt":"2026-06-24T01:50:27","slug":"a-fake-ai-agent-skill-passed-every-security-scanner-and-reportedly-reached-26000-agents","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/a-fake-ai-agent-skill-passed-every-security-scanner-and-reportedly-reached-26000-agents\/","title":{"rendered":"A fake AI agent skill passed every security scanner and reportedly reached 26,000 agents"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3ca3ee6e243\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3ca3ee6e243\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/a-fake-ai-agent-skill-passed-every-security-scanner-and-reportedly-reached-26000-agents\/#TLDR\" >TL;DR<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"article-main-content\">\n<div class=\"postContent-tldr\">\n<h4 class=\"postContent-offsetTitle\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TL;DR<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p><em>Security firm AIR got a fake skill past every major scanner and says it reached 26,000 agents by sw<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ing an external URL after the scan cleared.<\/em><\/p>\n<\/div>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/thehackernews.com\/2026\/06\/fake-ai-agent-skill-passed-security.html\" target=\"_blank\" rel=\"nofollow noopener\">Security firm AIR built a fake AI agent skill<\/a>, pushed it through a popular skill marketplace and promoted it with an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design, collecting only the user\u2019s email address, but AIR says a real attacker could have used the same foothold to read files, move data, or hit internal systems.<\/p>\n<p>The skill, called brand-landingpage, claimed to build a landing page using Google\u2019s Stitch design tool and was aimed at non-technical users. To make it look credible, AIR went after two trust signals that the ecosystem still treats as proof of safety: GitHub stars and a clean scanner verdict.<\/p>\n<p>For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills. The pull request was merged after a few days, so the skill inherited the repository\u2019s star count. Then AIR ran an Instagram ad targeting marketers, salespeople, and designers, who installed it and put it to work.<\/p>\n<p>The scanners AIR tested analyse the package you hand them, meaning the skill definition file and anything shipped with it. That includes tools from Cisco, NVIDIA, and the ones built into the major skill registries. AIR\u2019s skill carried no malicious setup instructions of its own but told the agent to install the \u201c<em>Stitch SDK<\/em>\u201d by following documentation at an external link it controlled, not the genuine Google domain.<\/p>\n<div class=\"inarticle-wrapper latest channel-cta hs-embed-tnw\">\n<div id=\"hs-embed-tnw\" class=\"channel-cta-wrapper\">\n<div class=\"channel-cta-img\"><img decoding=\"async\" class=\"js-lazy\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/div>\n<p><img decoding=\"async\" src=\"https:\/\/media.thenextweb.com\/hardfork-2018\/uploads\/visuals\/tnw-newsletter.png\"\/><\/p>\n<div class=\"channel-cta-input\">\n<p class=\"channel-cta-title\">The \ud83d\udc9c of EU tech<\/p>\n<p class=\"channel-cta-tagline\">The latest rumblings from the EU tech scene, a story from our wise ol&#8217; founder Boris, and some questionable AI art. It&#8217;s free, every week, in your inbox. Sign up now!<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>At first, the link led to the real Stitch documentation, so the scanners saw a clean package pointing at a plausible setup page and cleared it. The page the agent would actually fetch and follow sat outside the scan. Once the skill was installed widely, AIR swapped the page behind that link to one that told the agent to download and run a script.<\/p>\n<p>The technique is not new. Three weeks before AIR published its results, Trail of Bits bypassed ClawHub\u2019s malicious-skill detector, Cisco\u2019s scanner, and all three scanners built into the major skill registries. Its conclusion was that a scanner checks a fixed package while an attacker can keep tweaking the payload until it passes.<\/p>\n<p>Real campaigns have used the same trick for months, keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install time.<\/p>\n<p>The problem is structural. The scan happens once, but the page a skill points the agent to can be rewritten at any time afterward. Anthropic\u2019s own documentation warns that skills fetching external URLs are risky for exactly this reason, since the content can change after the skill is vetted.<\/p>\n<p>Separate research this year found that seven major scanners agree on fewer than one in five hundred of their combined flags, because each one judges a skill in isolation, blind to external links and to what changes after review.<\/p>\n<p>The scale figures come from AIR alone and deserve a sceptical read. The firm is launching a managed skill marketplace and closes its write-up pitching it, so the 26,000 number, the corporate-account detail, and the claim that it could have seized full control of every agent are not independently confirmed. What holds up is the method: the named scanners really do judge only the submitted package, the external-link blind spot is real and has been independently demonstrated, and the trust signals AIR borrowed, stars and a clean scan, are exactly the ones the ecosystem still treats as proof.<\/p>\n<p>The experiment lines up every weak trust signal around agent skills into one run: stars that can be borrowed, a scan that reads a snapshot, and a link that can be rewritten after the check clears. Whether the real figure is 26,000 or a fraction of it, the gap it walks through is one that defenders still have not closed.<\/p>\n<p>For security teams, the im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>te takeaway is the same one researchers keep landing on: treat skills as software, not text, and vet what a skill points to, not just what ships inside it. Route new skills through a single source you control, re-check them when anything changes, pin versions, and hold agents to the least privilege.<\/p>\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMN63nwsw68G3Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" target=\"_blank\" >Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/fake-ai-agent-skill-security-scanners-bypassed-26000-agents\" target=\"_blank\" >Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR Security firm AIR got a fake skill past every major scanner and says it reached 26,000 agents by swapping an external URL after the scan cleared. Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and promoted it with an Instagram ad, and says it reached roughly&#8230;<\/p>\n","protected":false},"author":1,"featured_media":735149,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/media.thenextweb.com\/2026\/06\/fake-ai-agent-skill-security-scanners-bypassed-26000-agents.avif","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-735148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=735148"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/735148\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/735149"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=735148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=735148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=735148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}