Based on reporting by The Hacker News →
Introduction
A security research team demonstrated that a deliberately malicious AI agent skill could breeze through every automated security scanner on the market and still end up on roughly 26,000 agents, including corporate-managed accounts. The finding exposes a blind spot in the entire AI agent ecosystem: marketplace trust depends on scanners that, at least for now, are failing the first test.
The problem
According to a report by The Hacker News, security firm AIR created a fake AI agent skill, submitted it through a popular skill marketplace and promoted it with an Instagram ad, and then observed that the skill reached roughly 26,000 agents. Crucially, every security scanner the team tested against the skill flagged it as safe. The payload itself was harmless by design—it collected only the user's email address and did nothing else—because the goal was to demonstrate a proof-of-concept, not to cause harm. The Hacker News covered the research, which shows that the marketplace's automated defenses were completely blind to the skill's true nature.
Consequences
If a harmless proof-of-concept can bypass all existing scanners, a real attacker with a malicious payload could almost certainly do the same. The immediate consequence is that organizations relying on agent-skills marketplaces for productivity gains are exposed to a supply-chain risk they cannot currently audit. For an enterprise that allows agents to execute tasks—reading emails, accessing calendars, posting to social media, or modifying internal databases—a compromised skill could exfiltrate sensitive data, issue commands on behalf of the user, or pivot to internal infrastructure. The 26,000-agent reach in this experiment suggests a successful real-world campaign could infect thousands of nodes before anyone notices.