Fake AI Agent Skill Slipped Past Every Scanner and Reached 26,000 Agents

TL;DR

what: Security firm AIR planted a fake skill named brand-landingpage that passed every scanner it tested, borrowed a marketplace repo's 36,000 stars, and pointed agents at an external setup page it controlled and later swapped for a malicious payload.

impact: AIR claims the skill reached roughly 26,000 agents including some on corporate accounts, and the same foothold could have read files, exfiltrated data, or pivoted to internal systems bounded only by the agent's access.

fix: Treat skills as software: vet what a skill points to and not just what ships inside it, route all skills through a single source you control, pin versions, re-check on any change, and hold agents to least privilege.

who: Any organization where users install AI agent skills from marketplaces, especially via clean-scan and high-star trust signals.