🟠High  | Source: The Hacker News
Security firm AIR created a deliberately benign fake skill for AI agent platforms, distributed it via a skill marketplace and Instagram advertising, and observed it being installed by approximately 26,000 agents — including those on corporate accounts. Critically, every security scanner tested against the skill returned a clean verdict, demonstrating a significant blind spot in current AI agent supply chain security tooling. The research highlights how malicious actors could exploit the same distribution channels to deploy genuinely harmful payloads at scale.
Security Architect’s Take: Treat AI agent skill marketplaces with the same scrutiny as third-party software repositories — establish an approved skills allowlist and block unapproved marketplace installations at the platform policy level. Do not rely solely on automated skill security scanners; introduce manual review or vendor vetting processes for any skill granted access to corporate agent environments.
Original advisory: Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents