26,000 Agents Fooled by a Fake Skill

26,000 agents got compromised by a fake skill that sailed through security scanners. The trick? A mutable external link that pointed to benign code during review—and malware after approval.

The incident, reported by AI Red Team (AIR), exposes a fundamental flaw in how we vet AI agent skills today.

The scan-time blind spot

Current security scanners for AI agents inspect the submitted package. That’s the problem. If your skill manifest points to a remote URL for its actual implementation—something MCP servers and custom skills routinely do—the scanner sees whatever’s there at scan time, not what loads at runtime.

AIR built a fake skill that did exactly this: a clean codebase during submission, with the real payload swapped in later. It passed multiple named scanners, picked up stars and download counts, and reached 26,000 agents before the red team pulled it down.1

26,000 agents got compromised by a fake skill that sailed through security scanners. The trick? A mutable external link that pointed to benign code during review—and malware after approval.

The incident, reported by AI Red Team (AIR), exposes a fundamental flaw in how we vet AI agent skills today.

The scan-time blind spot

26,000 Agents Fooled by a Fake Skill

26,000 Agents Fooled by a Fake Skill

Other newsrooms on this story

Related reading

A fake AI agent skill passed every security scanner and reportedly reached…

Other newsrooms on this story

Related reading

A fake AI agent skill passed every security scanner and reportedly reached…

Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents

Fake AI Agent Skill Slipped Past Every Scanner and Reached 26,000 Agents

We security-graded 117,854 AI agent skills. Here's what we found.

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

For the 2nd time in weeks, Microsoft packages laced with credential stealer