Fake AI Agent Skill Slipped Past Every Scanner
A fake AI agent skill named "brand-landingpage" bypassed static security scanners by hosting mutable payloads on an external domain, reaching over 26,000 users via Instagram ads. The attack exploited the gap between initial static review and runtime behavior, demonstrating that skills can change instructions after gaining trust and distribution. Current security scanners relying solely on static analysis of bundled files are insufficient, as they fail to detect dynamic content fetched from exter
Analysis
TL;DR
- A fake AI agent skill named "brand-landingpage" bypassed static security scanners by hosting mutable payloads on an external domain, reaching over 26,000 users via Instagram ads.
- The attack exploited the gap between initial static review and runtime behavior, demonstrating that skills can change instructions after gaining trust and distribution.
- Current security scanners relying solely on static analysis of bundled files are insufficient, as they fail to detect dynamic content fetched from external URLs post-installation.
- Experts urge treating AI agent skills as "living third-party dependencies" requiring continuous validation, version pinning, and strict runtime controls rather than one-time approvals.
Why It Matters
This incident highlights a critical vulnerability in the current AI agent ecosystem where static security measures are inadequate for dynamic, internet-connected skills. It serves as a wake-up call for enterprises to rethink their supply chain security for AI, moving beyond simple prompt or file scanning to comprehensive lifecycle management. Understanding this risk is essential for preventing data exfiltration and unauthorized system access through seemingly benign third-party integrations.
Technical Details
- Attack Vector: The malicious skill utilized a legitimate-looking GitHub repository with high reputation to gain trust, then directed agents to a fake domain (stitch-design.ai) that mimicked the official Google Stitch service.
- Evasion Technique: The payload was not embedded in the static skill files but was hosted externally. The domain initially redirected to the legitimate site to pass static scans, then was updated to serve a script that collected user emails.
- Scanner Failure: The skill passed static analysis from major security providers (Cisco, Nvidia, skills.sh) because these tools only analyzed the SKILL.md and bundled resources at the time of submission, missing the mutable external reference.
- Runtime Exploitation: Once installed, the agent executed instructions fetched from the now-malicious external URL, demonstrating that behavior can diverge significantly from the initial static assessment.
Industry Insight
- Shift to Continuous Validation: Security teams must implement continuous monitoring and runtime controls for AI skills, treating them as executable dependencies rather than static text files.
- Supply Chain Governance: Enterprises should establish strict inventories of AI skills, enforce version pinning with cryptographic hashes, and restrict network calls to approved domains to prevent dynamic payload injection.
- Least Privilege Enforcement: Adopting least-privilege models for agent permissions is crucial to limit the potential impact of compromised skills, ensuring they cannot access sensitive data or systems beyond their immediate function.
Disclaimer: The above content is generated by AI and is for reference only.