A malicious AI “skill” created as part of a controlled security experiment has exposed critical weaknesses in modern AI agent ecosystems, successfully bypassing security scanners and compromising more than 26,000 agents across individual and enterprise environments.
According to researcher Niv Hoffman, the attack began with the creation of a seemingly legitimate AI skill named “brand-landingpage,” marketed as a no-code tool for building visually appealing product landing pages using Google’s Stitch platform.
The skill delivered real functionality, which helped build trust among non-technical users such as marketers, designers, and sales teams.
Within a short time, it spread rapidly through open marketplaces, GitHub repositories, and social media promotions.
To increase credibility, the researchers strategically merged the malicious skill into a popular GitHub-based plugin marketplace containing tens of thousands of stars.
This allowed the project to inherit a strong reputation signal, making it appear trustworthy to both users and automated systems.
Additionally, widely used AI security scanners, including those from major vendors, analyzed the skill and flagged it as safe, further reinforcing user confidence.
Malicious AI Agent Skill Bypasses
However, the attack did not rely on traditional malware techniques. Instead, it exploited a fundamental design flaw in how AI skills are evaluated.
Most security scanners focus only on the local contents of a skill, such as configuration files and embedded instructions.
They do not fully inspect external resources referenced by the skill, such as documentation links or installation guides.
The malicious skill leveraged this gap by directing AI agents to an external domain that mimicked legitimate Stitch documentation.
Initially, the domain redirected to a legitimate site, leading early inspections to appear harmless. Once the skill gained traction, the researchers replaced the external content with modified instructions that guided agents to download and execute a script.
Because AI agents treat external documentation as trusted input, they followed these instructions without suspicion.
In this experiment, the script only collected user email addresses to demonstrate impact. However, the same technique could have been used to execute arbitrary code, exfiltrate sensitive data, or gain persistent access to enterprise systems.
The results were significant. More than 26,000 agents installed the skill, including those connected to corporate environments.
The researcher Niv Hoffman confirmed they could have accessed private conversations, internal tools, and other sensitive resources available to those agents. Despite this level of access, all security scanners involved failed to detect any malicious behavior.
This incident highlights a growing supply chain risk within AI ecosystems. Unlike traditional software, AI skills can dynamically change behavior by modifying external content after installation.
As a result, a one-time security scan provides only a snapshot of the current state. It does not account for future changes to linked resources.
For enterprises, the implications are serious. Many organizations already allow employees to install AI add-ons without centralized oversight, creating an unmonitored attack surface.
Since these agents often operate with broad permissions, a single malicious actor can cause widespread compromise.
Security experts recommend shifting toward continuous monitoring of AI agent behavior, enforcing centralized approval for third-party skills, and expanding scanning capabilities to include external dependencies.
Without these changes, AI agent platforms may remain vulnerable to large-scale attacks that exploit trust rather than technical vulnerabilities.
