A controlled security experiment revealed how a malicious AI agent skill named brand landingpage bypassed every major security scanner and secretly hijacked over 26000 corporate AI agents by exploiting trust in external documentation links.

Have you ever thought the small helpful skill you allow your AI agent to install can itself open path to your entire machine private conversations and internal tools. This not any fake scenario. One researcher proved it with his own hands. He built one skill in just one hour and gained control over more than 26000 AI agents while world most famous security scanners always declared it safe.

AI Agent Skill Supply Chain Attack Technical Explanation

This story comes from security research company air.security researcher Niv Hoffman. He wanted to prove how dangerously easy modern AI agent ecosystem makes skill installation. Anyone can publish any skill without gatekeeper. Any user installs it without proper verification

He choose Google new viral tool Stitch as target. Stitch lets people create landing pages without coding. He built one skill named brand landingpage. It claimed to create stunning marketing landing pages from basic information. Skill actually worked well and delivered good landing pages. This built user trust quickly.

Real work started after that. Researcher needed two trust signals to make skill look credible. First high star count on GitHub. Second safe certificate from popular skill scanners.

Instead of gaining stars himself he chose smart path. He found agents marketplace with over thirty six thousand GitHub stars and open contribution policy. He submitted pull request for his skill. After few days it got merged.

His malicious skill automatically received full star value and credibility of that repository.Once skill looked credible he promoted it through Instagram advertisement targeting marketers salespeople and designers. These non technical users trust AI tools quickly. They started installing skill in their agents. Everything spread rapidly within no time.

Real technical flaw hides at place where AI security scanners get designed. These scanners only check SKILL.md file plus bundled resources inside skill. But when skill sends agent to external documentation link these scanners never check that portion.

Researcher gave instruction in skill to install Stitch SDK but kept actual installation steps outside skill. He redirected them to external link which looked like stitch design ai while real Google domain remains stitch withgoogle com. Initially this link redirected to real Stitch site so every inspection looked harmless.

When skill gained enough popularity and user trust researcher changed content of that external link on his server. Now documentation instructs agents to download plus run malicious script. Since AI agents by their nature treat external documentation same as own content they execute script without any doubt.

In this experiment script only collected user email address then sent back to prove impact. Researcher clearly stated same technique could get used for arbitrary code execution data exfiltration or persistent access inside enterprise systems.

Final outcome revealed more than 26000 agents already installed this skill. These included agents connected to corporate environments. According to researcher if he wanted he could gain access to private conversations internal tools plus connected sensitive resources of every single agent. Even after all this no major security scanner detected malicious behavior in entire process.

AI Skill Malware Detection and Mitigation Security Guide

This incident actually exposes major supply chain risk in AI ecosystem. Unlike traditional software AI skills can change their behavior even after installation. Their real content stays not limited to bundled files only. It remains connected to whatever content sits behind any external link.One clean scan therefore shows only picture of that moment. Link content can change anytime in future.

For detection security teams must take first step to continuously monitor all outbound connections made by agents especially requests heading toward new or lesser known domains. Regular audit of all external URLs referenced inside skills also stays essential.

This helps check whether content of those domains changed over time or not. Any new script download or execution pattern from agent after skill installation that never formed part of normal behavior earlier serves strong red flag. Skill installation logs also need close tracking to know which agents install which third party skill

For mitigation most important step demands organizations never allow employees direct skill installation from open marketplaces. Instead one centralized managed entry point must exist where every skill passes official approval process.

This approval must work as continuous process not one time event. It must scan external dependencies repeatedly not just once at installation time. Limiting agent permissions also remains necessary so even if skill gets compromised attacker reach never extends to entire internal system.

Enterprises must include in their security policy that any unsanctioned add on or skill always passes review process before running in production environment. GitHub star count or marketplace popularity must never get treated as single trust signal because this incident proves star count itself can get manipulated. Most important point remains security concept no longer stays limited to installation moment only. It now becomes living continuous ongoing process.

This entire incident reminds that in world of AI agents trust serves biggest currency. Until we build this trust not on appearance or popularity but on continuous verification this threat will always keep finding new ways.