Fake AI Agent Skill Bypassed Scanners and Reached 26,000 Installations
A researcher demonstrated that a fake AI agent skill called brand-landingpage could pass marketplace security checks and spread widely by exploiting a blind spot in how agent skills are reviewed. The skill offered legitimate landing-page functionality, was promoted through open marketplaces, GitHub repositories, and social media, and was reportedly installed by about 26,000 AI agents, including some linked to enterprise accounts. According to the reports, the package itself appeared benign and cleared tested scanners because the harmful behavior was not embedded in the submitted code.
Instead, the skill pointed agents to externally hosted documentation that was modified after approval to instruct them to download and execute a script, demonstrating a supply-chain style attack against AI agent ecosystems. In the controlled test, the script only exfiltrated user email addresses, but the researcher said the same technique could enable arbitrary code execution, broader data theft, and persistent access depending on agent privileges. The findings align with prior warnings from other researchers that static scanning misses mutable external links, and they prompted recommendations to inventory installed skills, restrict approved sources, continuously revalidate linked content, pin versions, and enforce least privilege.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Demo payload exfiltrates user email addresses
In AIR's controlled demonstration, the downloaded script collected user email addresses only, while researchers said the same technique could have enabled broader compromise such as arbitrary code execution or data theft.
AIR changes external documentation to deliver malicious instructions
After the skill had passed scanners and appeared benign, AIR altered an externally linked documentation site to tell agents to download and execute a script, demonstrating that mutable off-package content could change behavior after vetting.
Fake skill reportedly reaches about 26,000 AI agents
According to AIR's self-reported results, the fake skill spread to roughly 26,000 AI agents, including some associated with enterprise or corporate environments.
AIR publishes fake AI skill 'brand-landingpage' to a marketplace
Security firm AIR demonstrated a supply-chain style attack by publishing a fake AI agent skill named 'brand-landingpage' through a popular marketplace and promoting it via social channels and repositories to gain adoption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hidden Prompt-Injection and Supply-Chain Backdoors in AI Agent Skills
Security researchers are warning that *AI agent “Skills”* (markdown/YAML instruction packages that extend agent capabilities) are becoming a **supply-chain risk** due to hidden prompt-injection content that can survive human review. A demonstrated technique uses **invisible Unicode Tag codepoints** embedded in skill files to smuggle instructions that some models interpret as executable guidance, enabling outcomes such as **data exfiltration**, prompt injection, and other malicious behavior when the skill is invoked; a basic scanner was also built to help detect these hidden-instruction patterns. Separate reporting highlighted broader evidence of the same threat pattern across agent ecosystems: Simula Research Laboratory identified **hidden prompt-injection attacks** in a measurable portion of sampled content on a platform referenced as Moltbook, and Cisco researchers documented a malicious agent skill (“**What Would Elon Do?**”) that **exfiltrated data to external servers** while being artificially boosted to appear as a top-ranked skill. Researchers also anticipate the emergence of **self-replicating adversarial prompts** (“prompt worms/viruses”) that could propagate through networks of communicating AI agents, amplifying the impact of compromised skills and poisoned instruction content.
Mar 21, 2026
SymJack and Malicious AI Skills Expose New Supply-Chain Risks for Coding Agents
Researchers disclosed **SymJack AI**, an attack technique that abuses symbolic links in repositories to trick AI coding assistants and automated development tools into writing to attacker-chosen destinations. A user may approve what appears to be a harmless file change, while the operating system follows a malicious symlink to alter configuration files and enable later command execution with the victim’s privileges. The technique raises concerns for local developer workstations and for CI/CD systems that automatically process untrusted pull requests, where compromised jobs could expose cloud credentials, deploy keys, and other sensitive secrets. Separate research found that public **AI skill marketplaces** remain vulnerable to simple malicious submissions that evade automated scanning. Trail of Bits reported bypassing multiple skill scanners with proof-of-concept packages that used oversized files, hidden content in `.docx` archives, poisoned `.pyc` bytecode, and prompt-injection-style social engineering to disguise malicious behavior. The findings indicate that both repository-based coding agents and downloadable agent skills can become supply-chain entry points, prompting calls for stricter validation of resolved file paths, tighter controls on configuration writes, monitoring of runtime behavior, review of pull requests that modify agent setup, and the use of curated internal skill sources instead of public marketplaces for sensitive environments.
Jun 4, 2026
Malicious AI Agent Skills Abused for Crypto Theft and macOS AMOS Delivery
Researchers reported multiple campaigns abusing *AI agent “skills”* as a new supply-chain-like initial access vector. In one case, a malicious ClawHub skill (`bob-p2p`) masqueraded as a decentralized API marketplace and was promoted via the AI-agent social platform *Moltbook*; once installed, it caused agents to retain **plaintext Solana private keys** and execute transactions that bought worthless `$BOB` tokens while routing value to attacker-controlled infrastructure. Staiker researchers and analyst Dan Regalado highlighted that agent-to-agent collaboration, shared workflows, and dependency chains can enable **lateral movement without direct human interaction**, making the technique repeatable and scalable beyond crypto-wallet theft. Separately, Trend Micro described a shift in **Atomic macOS Stealer (AMOS)** distribution from cracked software to **malicious OpenClaw skills** hosted across ClawHub, SkillsMP, and GitHub. The campaign used seemingly benign `SKILL.md` instructions to trick models/users into installing a fake prerequisite (“OpenClawCLI”) from an external site; if followed, the workflow fetched and executed a **Base64-encoded command** that dropped a **Mach-O universal binary** (Intel and Apple Silicon). Trend Micro reported 39 malicious skills uploaded across repositories and stated that more than **2,200** malicious skills were ultimately found on GitHub, with AMOS targeting credentials, browser data, crypto wallets, Telegram data, VPN profiles, Apple Keychain items, and common user folders—underscoring that AI-agent ecosystems are becoming a practical malware delivery and data-theft channel.
May 8, 2026