26,000 agents. That's how many AI agents a fake skill reached after sailing through every security scanner a popular marketplace threw at it. Security firm AIR built the skill, pushed it through an Instagram ad and the marketplace, and watched it land on corporate accounts. The payload was intentionally harmless - it grabbed the user's email address and did nothing else. The point wasn't to cause damage. It was to prove the review pipeline is a joke.
All Scanners Green, All Agents Exposed
AIR tested the skill against every security scanner the marketplace offered. Every single one marked it safe. The skill wasn't sophisticated. It didn't exploit a zero-day or use obfuscation. It just asked for an email. The scanners looked for known malware patterns, not behavioral anomalies. A skill that collects data without exfiltrating it doesn't set off alarms. That's the gap. The marketplace has no mechanism to evaluate intent - only signature-based checks.
Instagram ads amplified the reach. AIR didn't need to hack a developer account or compromise a vendor. They just bought an ad and pointed users to their skill. The skill propagated to 26,000 agents, including some on corporate accounts. Those corporate accounts likely had enterprise security policies in place. They were still vulnerable because the marketplace trusted the skill.
Marketplace Security Is Still Playing Catch-Up
Agent marketplaces operate like app stores circa 2010. They trust the developer, run a static scan, and ship. The difference is agents have access to internal tools, APIs, and sometimes company data. A harmful skill wouldn't need a payload that screams 'malware'. It could quietly read internal emails, exfiltrate data via outbound calls, or manipulate other agents. AIR's experiment used email collection as a proxy. A real attacker would use the same technique with a more interesting trigger - for example, 'send me the last 10 Slack messages' or 'forward this document to an external server'.
The fact that the skill reached 26,000 agents suggests the marketplace's growth is outpacing its security maturity. Corporate accounts are the juiciest targets. An attacker who compromises one agent on a corporate account could pivot to other integrated services. The skill's lifespan isn't clear from AIR's report, but the reach alone is enough to demand a rethink.
What Needs to Change
Behavioral scanning is the obvious next step. Scanners need to simulate what a skill actually does, not just check its file hashes. Runtime monitoring of skill actions after installation would catch data collection that static analysis misses. Marketplace operators should also require explicit permission scopes for data access, similar to mobile OS permissions. A skill that collects email addresses should be flagged when it tries to send them out.
AIR's experiment is a wake-up call. The agent ecosystem is still early, and attackers are already probing the seams. The same marketplace that reached 26,000 agents in a week could reach 26,000 compromised agents in a month if the review pipeline stays this porous.
Source: Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents
Domain: thehackernews.com
Comments load interactively on the live page.