Security firm AIR built a fake AI agent skill that sailed through every security scanner they tested, got promoted via an Instagram ad, and reportedly reached 26,000 agents — including some on corporate accounts.
The payload was deliberately harmless. It just collected the user’s email address. But the point was brutal: none of the signals people rely on to trust a skill actually caught it. Not the scanners, not the GitHub stars, not the open-source reputation.
Here’s how they did it. A skill is essentially a bundle of instructions an AI agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the vulnerability. AIR named their fake skill “brand-landingpage” and marketed it as a tool for building landing pages using Google’s Stitch design tool — aimed at non-technical users.
To build credibility, they opened a pull request to a skill marketplace repo with around 36,000 stars. It got merged after a few days, so the skill inherited that star count. Then they ran an Instagram ad targeting marketers, salespeople, and designers.
The trick that fooled the scanners: AIR’s package had no setup instructions of its own. It told the agent to install the “Stitch SDK” by following docs at stitch-design.ai — a domain AIR controls, not Google (the real Stitch lives at stitch.withgoogle.com). Initially the link pointed to the genuine Stitch docs, so the scanners cleared it. Once widely installed, AIR swapped the page to one that told the agent to download and run a script.
In the demo, it just mailed the address back. A real attacker could have read files, exfiltrated data, or hit internal systems — bounded only by what the agent could reach.
AIR isn’t the only one to spot this. Trail of Bits showed the same thing three weeks earlier, bypassing ClawHub’s malicious-skill detector and all major scanners. Their conclusion: a scanner checks a fixed package while an attacker can keep tweaking the payload until it passes. The scan happens once, but the page a skill points to can be rewritten anytime after.
