◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-26

Malicious AI Agent Skill Bypasses Static Scanners via Mutable External Link — Reached 26,000 Agents (AIR Research, Jun 24 2026)

VulnerabilityHigh impactGlobal
What happened
Security firm AIR published research on June 24, 2026 demonstrating that a deliberately malicious AI agent skill ('brand-landingpage') passed security scanners from Cisco, Nvidia, and skills.sh and was merged into a popular open-source agent-skills repository (36,000 GitHub stars). The skill instructed agents to fetch installation instructions from an attacker-controlled domain (stitch-design.ai, mimicking Google's stitch.withgoogle.com). The domain initially redirected to the legitimate site, passing static review; after gaining distribution to ~26,000 agents (including corporate accounts), AIR changed the payload behind the domain to execute a script on the running agent's host. The script in the test collected only email addresses, but AIR confirmed the same technique could fully compromise machines running the agent.
Why it matters
This live experiment proves a systemic blind spot in current AI agent skill vetting: scanners analyse packaged files at review time but cannot detect payload changes made post-approval via mutable external URLs referenced by the skill. Any skill that points an agent to an external resource can be weaponised after trust is granted. Corporate accounts were among the 26,000 affected agents, meaning enterprise AI workflows were within attack reach. This is a supply-chain attack class specific to the emerging AI agent skills ecosystem.
Attack vector
Attacker submits a benign-appearing skill to a trusted repository; skill passes static security scans because malicious payload is hosted at an external domain that initially redirects legitimately; after distribution, attacker changes the external domain's content to deliver malicious scripts executed by the agent on the host
Affected systems
AI agent frameworks that consume SKILL.md-style skills from open-source repositories; any agent runtime that follows external URLs embedded in skill instructions
Mitigation
Pin external URLs in skills to content-hashes; continuously monitor external dependencies referenced by installed skills; treat AI skills as live third-party dependencies requiring runtime validation, not one-time static review. AIR blog: https://www.air.security/blog-posts/the-story-of-skills
Sources
CSO Online — How a malicious AI agent skill passed security checks and reached 26,000 users (Jun 24 2026)AIR Security Blog — The Story of Skills
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →