AI News AI资讯 6d ago Updated 6d ago 更新于 6天前 51

Fake AI Agent Skill Slipped Past Every Scanner 虚假AI代理技能绕过所有扫描器

A fake AI agent skill named "brand-landingpage" bypassed static security scanners by hosting mutable payloads on an external domain, reaching over 26,000 users via Instagram ads. The attack exploited the gap between initial static review and runtime behavior, demonstrating that skills can change instructions after gaining trust and distribution. Current security scanners relying solely on static analysis of bundled files are insufficient, as they fail to detect dynamic content fetched from exter 安全公司AIR演示了一种恶意AI Agent技能,通过伪装成合法的Google Stitch工具,在Instagram上成功获取超26,000名用户并绕过主流安全扫描器。 攻击核心在于利用“动态依赖”风险:技能包本身静态安全,但指向的外部URL内容可在安装后更改,从而在运行时执行恶意代码或窃取数据。 现有基于静态启发式和LLM的扫描器无法检测这种延迟加载的恶意行为,表明当前的AI技能审核机制存在严重漏洞。 专家呼吁将AI技能视为“活着的第三方依赖”,需建立企业级库存管理、版本锁定及严格的运行时监控,而非仅依赖一次性审批。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • A fake AI agent skill named "brand-landingpage" bypassed static security scanners by hosting mutable payloads on an external domain, reaching over 26,000 users via Instagram ads.
  • The attack exploited the gap between initial static review and runtime behavior, demonstrating that skills can change instructions after gaining trust and distribution.
  • Current security scanners relying solely on static analysis of bundled files are insufficient, as they fail to detect dynamic content fetched from external URLs post-installation.
  • Experts urge treating AI agent skills as "living third-party dependencies" requiring continuous validation, version pinning, and strict runtime controls rather than one-time approvals.

Why It Matters

This incident highlights a critical vulnerability in the current AI agent ecosystem where static security measures are inadequate for dynamic, internet-connected skills. It serves as a wake-up call for enterprises to rethink their supply chain security for AI, moving beyond simple prompt or file scanning to comprehensive lifecycle management. Understanding this risk is essential for preventing data exfiltration and unauthorized system access through seemingly benign third-party integrations.

Technical Details

  • Attack Vector: The malicious skill utilized a legitimate-looking GitHub repository with high reputation to gain trust, then directed agents to a fake domain (stitch-design.ai) that mimicked the official Google Stitch service.
  • Evasion Technique: The payload was not embedded in the static skill files but was hosted externally. The domain initially redirected to the legitimate site to pass static scans, then was updated to serve a script that collected user emails.
  • Scanner Failure: The skill passed static analysis from major security providers (Cisco, Nvidia, skills.sh) because these tools only analyzed the SKILL.md and bundled resources at the time of submission, missing the mutable external reference.
  • Runtime Exploitation: Once installed, the agent executed instructions fetched from the now-malicious external URL, demonstrating that behavior can diverge significantly from the initial static assessment.

Industry Insight

  • Shift to Continuous Validation: Security teams must implement continuous monitoring and runtime controls for AI skills, treating them as executable dependencies rather than static text files.
  • Supply Chain Governance: Enterprises should establish strict inventories of AI skills, enforce version pinning with cryptographic hashes, and restrict network calls to approved domains to prevent dynamic payload injection.
  • Least Privilege Enforcement: Adopting least-privilege models for agent permissions is crucial to limit the potential impact of compromised skills, ensuring they cannot access sensitive data or systems beyond their immediate function.

TL;DR

  • 安全公司AIR演示了一种恶意AI Agent技能,通过伪装成合法的Google Stitch工具,在Instagram上成功获取超26,000名用户并绕过主流安全扫描器。
  • 攻击核心在于利用“动态依赖”风险:技能包本身静态安全,但指向的外部URL内容可在安装后更改,从而在运行时执行恶意代码或窃取数据。
  • 现有基于静态启发式和LLM的扫描器无法检测这种延迟加载的恶意行为,表明当前的AI技能审核机制存在严重漏洞。
  • 专家呼吁将AI技能视为“活着的第三方依赖”,需建立企业级库存管理、版本锁定及严格的运行时监控,而非仅依赖一次性审批。

为什么值得看

这篇文章揭示了AI Agent生态系统中一个被忽视的关键安全风险:即技能包的可变性导致的供应链攻击。对于AI从业者和企业安全团队而言,它警示了单纯依赖静态代码扫描的局限性,强调了从“静态审核”向“持续运行时验证”转变的必要性,为构建更安全的AI代理基础设施提供了重要的防御视角。

技术解析

  • 攻击向量与信任信号:攻击者利用GitHub高星开源仓库(约36,000星标)提交名为brand-landingpage的技能,通过合并Pull Request获得社区信任信号,随后通过Instagram广告进行大规模分发。
  • 绕过静态扫描机制:该技能未包含可疑代码,而是通过指向受控域名stitch-design.ai(重定向至真实站点以通过静态审查)来规避Cisco、Nvidia等安全扫描器的检测。扫描器仅分析SKILL.md和打包资源,无法预判后续的网络请求变化。
  • 动态载荷执行:在安装后,受控域名上的内容被修改为指令,引导Agent下载并运行脚本。在测试中,该脚本仅收集邮箱地址,但理论上可执行任意操作以控制机器或泄露内部系统数据。
  • 架构缺陷分析:当前AI技能被视为静态文本或提示词,但实际上它们是包含外部依赖的执行指令束。这种架构误解导致安全团队无法通过传统软件供应链安全模型来有效治理AI技能。

行业启示

  • 重塑AI技能安全治理框架:企业应将AI Agent技能纳入软件供应链管理体系,视其为“活着的第三方依赖”。必须实施全生命周期管理,包括严格的版本锁定、不可变引用追踪以及加密哈希校验,防止内容在部署后被篡改。
  • 强化运行时控制与最小权限原则:静态扫描已不足以保障安全,企业需部署运行时监控机制,限制Agent的网络调用至白名单域名,并强制执行最小权限策略,确保单个技能无法继承用户的全部数据访问权。
  • 建立企业级AI资产库存:CISO应建立清晰的AI技能库存,明确所有权和数据流向,仅在受控的应用商店中分发预批准的技能,并在沙箱环境中测试安装行为,以实现对AI代理行为的可见性和可控性。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Agent Agent Security 安全 Open Source 开源