A security research firm planted a malicious AI agent skill in a popular marketplace and watched it propagate to approximately 26,000 agents — including those deployed on enterprise corporate accounts — before disclosing the experiment. The findings expose a structural gap in how AI agent skill ecosystems vet third-party content.
The Research Operation
Security firm AIR conducted the test by constructing a fake skill called brand-landingpage and submitting it to a mainstream AI agent skill marketplace. To boost its apparent legitimacy, AIR amplified the skill with GitHub stars and orchestrated a merge into the marketplace, then ran Instagram advertising to drive further adoption. The campaign was designed to mimic the promotional strategies a real threat actor might employ to establish credibility for a malicious package.
The skill was not inherently malicious at the moment of submission. That detail is central to the attack technique AIR demonstrated.
The Bypass Mechanism: Mutable External Payloads
Every security scanner AIR tested evaluated the skill’s code at the time of submission. None of those scanners flagged brand-landingpage because, at submission time, it was clean. The skill’s real functionality was hosted at an external URL that the skill would call when executed by an agent.
brand-landingpage: How a Mutable External Payload Bypassed All Submission Scanners
After the skill cleared review and was listed in the marketplace, AIR changed the content at that external endpoint. Because no re-scan is triggered by post-approval changes to external dependencies, the modified payload was live and reachable by every agent that had installed the skill — without any security tool detecting the substitution.
This technique means a threat actor could publish a benign skill, accumulate installations, pass all vetting processes, and then silently swap the external payload to a malicious one. The marketplace and its security pipeline would have no awareness the change had occurred.
Scale and Enterprise Exposure
AIR reported that the skill reached roughly 26,000 AI agents before the research concluded. Critically, the affected installations included agents running on enterprise corporate accounts — not just individual developer environments. Enterprise AI agent deployments are increasingly connected to business systems, internal APIs, data stores, and communication platforms, which raises the stakes for any compromise that touches them.
The experiment did not disclose which specific marketplace was used or identify affected organizations by name. AIR framed the disclosure as a structural demonstration rather than an attack against a specific vendor.
Parallels to Software Supply Chain Attacks
The technique is a close analog to supply chain attacks that have plagued open-source package ecosystems like npm and PyPI for years. In those ecosystems, attackers have used similar patterns: publish a harmless package, establish trust through download counts and stars, then introduce malicious updates or depend on packages they later compromise. The difference is that traditional package managers have developed dependency pinning, integrity verification, and checksum enforcement as countermeasures.
AI Skill Marketplaces Lack the Pinning and Checksum Verification of Mature Package Ecosystems
AI agent skill marketplaces appear to lack equivalent mechanisms. The skill review process, as AIR’s test showed, is a one-time gate rather than a continuous integrity check. Once a skill is listed, the marketplace implicitly trusts it indefinitely regardless of changes to resources the skill calls at runtime.
Impact and Industry Takeaway
An attacker who exploited this pattern at scale could use installed skills to redirect agent behavior, exfiltrate data the agent has access to, issue unauthorized commands to connected systems, or use the compromised agent as a pivot point into broader enterprise infrastructure. Because AI agents are often granted elevated permissions to perform their intended functions, the potential blast radius of a malicious skill exceeds that of a typical software package compromise.
The research establishes that AI agent skill marketplaces currently face the same supply chain risks that took the open-source software ecosystem years to begin addressing. Static vetting at submission time is insufficient when external dependencies can be modified freely after approval. The absence of runtime integrity verification creates a persistent and exploitable blind spot at the heart of the AI agent ecosystem’s trust model.
