A malicious AI 'skill' (a small app an AI assistant can be told to run) beat static scanners from Cisco, Nvidia, and skills.sh. An Instagram ad then installed it on 26,000 agents, some tied to corporate accounts.
The mechanism that beat three named security scanners was not a clever exploit. It was a redirect, then a quiet swap.
Researchers at AIR Security built a controlled test: a malicious AI agent skill called 'brand-landingpage,' presented as a Google Stitch landing-page builder. Google Stitch is a Google design tool. The skill, like others in the emerging agent ecosystem, is a small app that an AI assistant can be told to run. Static security scanners from Cisco, Nvidia, and skills.sh reviewed the skill's files and cleared it. An Instagram ad then installed it on more than 26,000 agents, including some tied to corporate accounts.
The trick was a redirect. The skill instructed agents to set up Google's Stitch SDK using instructions hosted at a domain the researchers controlled. That domain initially redirected to the real stitch.withgoogle.com, so a static review of the skill's own files looked clean. Once the skill was widely installed, AIR swapped the content behind the controlled domain to instruct agents to download and run a script.
This is what AIR's test actually exposed. 'Passed our security checks' is no longer a meaningful trust signal for AI agent skills. The shared blind spot across the three scanners is that they read SKILL.md files and judge danger from the text alone. They do not actually run the skill, and they do not follow the documentation links the skill points to. The trust signal is earned before the harm. The harm happens after trust is already granted.
The skill did not get to 26,000 installs on its own merits. It piggybacked on a popular open-source agent repository with about 36,000 GitHub stars and 156 existing skills, borrowing the credibility of an established project. The Instagram ad was aimed at non-technical corporate roles (marketers, salespeople, designers), people least likely to vet where an agent skill came from before installing it.
The real-world payload in this case only collected user email addresses, so the affected users could be notified. No private conversations or internal systems were actually compromised. A real attacker using the same pattern could have run arbitrary code on each installer's machine. AIR's 'no agents were harmed' line is a research-scope caveat, not a safety guarantee.
The exposure pattern sits inside a wider effort to give agent ecosystems the same provenance rails that traditional software supply chains are now expected to have. Microsoft's agent-governance-toolkit on GitHub targets the top OWASP risks for AI agents, and CISA's AI SBOM guidance pushes software supply-chain oversight into territory that now includes agent components. The toolkit, as CSO Online reports, is one example of those controls moving from guidance to shipping code.
For enterprise security teams, the new control points are not 'trust the scanner badge.' They are: runtime or behavioural checks on what a skill actually does when it runs, curation or signing of skills in popular open-source repositories, and review of paid distribution channels like Instagram ads that point at agent installs. The redirect-then-swap pattern would have shown up under any of those three controls. Under a static SKILL.md review, it shows up nowhere.
What to watch next: whether any agent skill registry or marketplace publicly responds to the AIR test, and whether other researchers can reproduce the scanner-evasion pattern on different registries. The reach number here is 26,000. The design pattern is the actual story.