The bottom line: AI-agent skills require continuous runtime monitoring, not just static analysis at deployment, since security policies can be changed after approval.
A manipulated AI-agent skill called “brand-landingpage” passed multiple security scanners and was distributed to over 26,000 users via an Instagram ad. The experiment by security firm AIR demonstrates that static code analysis at approval time cannot adequately vet AI skills.
AIR proved with a targeted test that a malicious skill package passed security checks from multiple vendors. The skill “brand-landingpage” was presented as a landing-page tool using Google’s Stitch Design Tool and was meant to appeal to non-technical business users (marketers, salespeople, designers). AIR submitted the skill to a popular open-source agent repository with approximately 36,000 GitHub stars and 156 skills. The script was accepted within days and later distributed via Instagram advertising.
The malware method did not work through suspicious code in submitted files, but through a fraudulent domain: the skill instructed agents to install the Stitch SDK from stitch-design.ai—a site controlled by AIR instead of Google’s original stitch.withgoogle.com. The fake domain initially redirected to the genuine Google page, which static code analysis could not detect. AIR tested the skill against scanners from Cisco, Nvidia, and skills.sh—all classified brand-landingpage as safe. After distribution, AIR changed the contents behind the fake documentation to provide a script that collected email addresses. According to AIR, the same procedure could have been used to compromise agent systems. Some of the affected agents were linked to corporate accounts.
Security researcher Devashri Datta emphasizes that CISOs must treat AI skills as part of the enterprise supply chain, not as simple text prompts: “They are executable command packages that control how an agent interacts with enterprise systems and routes data—they require the same controls as third-party open-source packages or SaaS integrations.” Keith Prabhu, CEO of Confidis, adds: “Point-in-time scans are insufficient; enterprises need continuous validation and strict runtime controls.” This first requires an enterprise-wide inventory of all AI skills that provides security teams with transparency over external connections and data access.
Source: www.csoonline.com · Published June 24, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.