The security landscape is currently facing a silent crisis as AI agents become integrated into our daily workflows. Recently, the security firm AIR conducted a stark experiment that pulled back the curtain on how easily these digital tools can be compromised. They developed a fake AI agent skill—a digital plugin designed to help users create landing pages—and deployed it through a popular marketplace and targeted Instagram ads. Within a short window, the firm claims they reached approximately 26,000 agents, including those operating within secure corporate environments. The payload itself was harmless, merely collecting email addresses, but the implications are chilling: the experiment proved that despite our reliance on automated security scanners and “trust signals,” these systems are currently failing to protect us from sophisticated exploitation.
The fundamental flaw lies in how we perceive and verify these AI skills. When a user installs an add-on, they often look for social proof—like the number of stars on a GitHub repository or a “clean” badge from an automated security scanner. AIR’s experiment demonstrated that these signals are easily manipulated. By piggybacking on a trusted repository, they instantly inherited its reputation, and by submitting a clean package that pointed to a benign website, they easily bypassed automated scanners. These scanners, which are effectively the digital bouncers of the AI world, only inspect the static files submitted to them at a single point in time. They lack the foresight to see what an AI agent might be instructed to do once it reaches out to an external source, proving that current verification methods are built on a house of cards.
The “Achilles’ heel” of the current AI ecosystem is the reliance on dynamic external content. When a user installs a skill, the AI agent is essentially invited to follow instructions provided in a bundle. AIR’s fake skill contained no malicious code initially; instead, it instructed the agent to visit a website to install a “SDK.” Because the website initially contained legitimate documentation, the security scanners gave it a green light. However, once the skill was widely installed, the researchers simply swapped the website’s content to deliver a malicious script. This highlights a structural failure: security checks are performed at the moment of installation, while the risks are fluid and can be rewritten by an attacker at any time. This vulnerability isn’t theoretical; it has been independently observed by other cybersecurity firms, confirming that malicious actors are already weaponizing this gap between initial vetting and runtime execution.
This structural blind spot is compounded by the fact that different scanners often operate in isolation, completely unaware of the external web dependencies that drive modern AI agents. Anthropic and other industry leaders have previously warned that fetching external URLs is inherently risky, yet the industry continues to treat these skills as mere text prompts rather than what they truly are: executable software. Because these agents are granted broad access to user data and internal systems, a single “trusted” skill could serve as a Trojan horse. If a bad actor controls the website the agent visits, they can effectively bypass the safety guardrails, gain unauthorized access to sensitive files, and pivot into private corporate networks, all while the user remains completely oblivious.
Defending against this new breed of threat requires a complete shift in mindset. Organizations must stop viewing AI skills as harmless text-based shortcuts and start treating them as mission-critical software. This means moving beyond passive vetting; IT departments should be mandating strict control over which skills are allowed to run, requiring version pinning to ensure code doesn’t change unexpectedly, and enforcing the principle of least privilege. If an agent does not strictly need to access a specific document or system, it should not have the permissions to do so. Security teams must also implement continuous monitoring, acknowledging that a “safe” rating upon purchase or installation is not a permanent state of being in a world where external links can be hijacked in seconds.
Ultimately, while the figures reported by AIR should be approached with some skepticism—given the firm’s vested interest in selling its own security solutions—the core of their finding is undeniably valid. The experiment successfully lined up every weak trust signal in the ecosystem, exposing a reality that defenders have yet to effectively bridge. Whether the impact currently encompasses tens of thousands of agents or a smaller subset, the gate is wide open. The race is now on to build more resilient guardrails. Until we develop scanning technologies that can account for the dynamic, evolving nature of AI instructions, the burden of security will continue to fall on the shoulders of the users and administrators who must decide, often with little information, which tools are truly worthy of their trust.