What is the security vulnerability in AI agent skills?

A security vulnerability allows a fake skill to pass major scanners and reach 26,000 agents, including some on corporate accounts.

Who discovered this security vulnerability?

The security firm AIR discovered the vulnerability by building a fake skill called 'brand-landingpage'.

How did the fake skill gain distribution?

The fake skill was promoted through an Instagram ad and gained distribution by appearing in a popular open-source skill repository.

Why is this vulnerability a concern for AI agent security?

The vulnerability highlights a structural flaw in the way AI agent skills are secured as scanners check a fixed package at submission time, but the page a skill points an agent to can be rewritten at any moment after approval.

Security Firm AIR Exposes Vulnerability in AI Agent Skills

Q: What is the potential impact of this vulnerability?

A real attacker could have used the same approach to compromise machines running the agent by reading files, exfiltrating data, or pivoting to internal systems.

AIR built a fake skill to pass major scanners, affecting 26,000 agents including some on corporate accounts.

A security vulnerability has been exposed in AI agent skills, allowing a fake skill to pass every major scanner and reach 26,000 agents, including some on corporate accounts. The attack was carried out by security firm AIR, which built a fake skill called "brand-landingpage" that claimed to build landing pages using Google's Stitch design tool. The skill was promoted through an Instagram ad and was able to evade detection by major scanner vendors such as Cisco, NVIDIA, and skills.sh.

What Happened

AIR built the fake skill, which was designed to appear credible by mimicking a legitimate skill. To make it look trustworthy, AIR submitted a pull request to a popular open-source skill repository that had around 36,000 GitHub stars and 156 skills. The pull request was merged after a few days, giving the skill the appearance of being well-established and reputable.

The skill was then promoted through an Instagram ad targeting marketers, salespeople, and designers, who installed it and put it to work. Initially, the skill directed agents to install an SDK by following documentation at stitch-design.ai, a domain controlled by AIR rather than Google's legitimate stitch.withgoogle.com. At that point, the external link pointed to real Stitch documentation, so scanners from major vendors saw a clean package pointing at a plausible setup page and cleared it.

However, once the skill had gained distribution, AIR rewrote the content behind the fake Stitch documentation to instruct agents to download and run a script. The revised page was designed to collect user email addresses, but AIR noted that a real attacker could have used the same approach to compromise machines running the agent by reading files, exfiltrating data, or pivoting to internal systems.

Background and Context

The attack highlights a structural flaw in the way AI agent skills are secured. Scanners check a fixed package at submission time, but the page a skill points an agent to can be rewritten at any moment after approval. This means that even if a skill passes initial security checks, it can still be modified to include malicious code or instructions.

AIR's findings echo those of Trail of Bits, which three weeks prior had bypassed ClawHub's malicious-skill detector, Cisco's scanner, and all three scanners built into the major skill registries. The researchers noted that a real attacker could have used the same technique to compromise machines running the agent.

The use case for AI agent skills is becoming increasingly popular in industries such as marketing and design, where non-technical users may be more likely to install a skill without scrutinizing its code or documentation. This makes it easier for attackers to exploit vulnerabilities like the one exposed by AIR.

Why It Matters to the Industry

The attack has significant implications for adult-industry platforms and operators, who rely on AI agent skills to power their services. The vulnerability highlights the need for more robust security measures, such as dynamic scanning or continuous monitoring of skill behavior after installation.

Adult-industry platforms may also want to consider implementing additional safeguards, such as requiring users to review and approve any changes made to a skill's documentation or code after initial installation. This could help prevent attackers from modifying skills to include malicious code or instructions.

What Comes Next

AIR has published its findings in the hopes of raising awareness about the vulnerability and encouraging vendors to improve their security measures. The company notes that a real attacker could have used the same approach to compromise machines running the agent, highlighting the need for more robust security protocols.

Key Facts

AIR built a fake AI agent skill called "brand-landingpage" that claimed to build landing pages using Google's Stitch design tool.
The skill was promoted through an Instagram ad and installed on around 26,000 agents, including some on corporate accounts.
Every major scanner vendor tested by AIR marked the skill as safe, despite its malicious payload.
AIR rewrote the content behind the fake Stitch documentation to instruct agents to download and run a script after the skill had gained distribution.
The revised page was designed to collect user email addresses, but AIR noted that a real attacker could have used the same approach to compromise machines running the agent.