The Experiment That Should Worry Every Security Team
We have spent two years telling boards that agentic AI is a productivity revolution, and we still mean it. But a demonstration disclosed on June 23 by the security firm AIR should reset how every technology leader thinks about the marketplaces that feed those agents. AIR built a deliberately deceptive skill named brand-landingpage, submitted it to a public skill marketplace, and watched as every scanner it tested, including tooling from Cisco and NVIDIA, returned a clean verdict. The skill was not a clever piece of polymorphic malware. It was an ordinary looking package that pointed agents at an external installation page, and that single design choice was enough to defeat the entire review pipeline.
The numbers are what make this more than an academic curiosity. AIR reports that the skill reached approximately 26,000 agents, a population that included installations running under corporate accounts. In other words, the experiment did not just prove a theoretical weakness. It quietly distributed an unverified instruction channel into thousands of production agents, and the security controls that enterprises are counting on never raised an alarm. For organizations racing to roll out internal agent platforms, that is the difference between a tidy slide deck and an actual incident.
Why Scanners Lose This Game By Design
The structural flaw AIR exploited is simple and damning. A scanner inspects a fixed package at a fixed moment. The brand-landingpage skill referred agents to stitch-design.ai, a domain AIR controlled, dressed up to resemble a legitimate Google design tool. At review time the external page looked benign, so the package passed. After widespread installation, AIR changed the contents of that page to deliver malicious instructions. The payload in the demonstration only harvested user email addresses, but the researchers are clear that the same mechanism could have enabled full agent compromise.
Trail of Bits captured the underlying asymmetry months ago when it warned that a scanner checks a fixed package while an attacker can keep tweaking the payload until it passes. AIR extended that insight from package contents to the external links those packages reference. The takeaway is that marketplace approval is a snapshot, not a guarantee, and any skill that reaches outside its reviewed bundle is effectively unscanned. We should stop describing these verdicts as safety certifications and start describing them as what they are, a weak first filter.
The Trust Signals That Fooled Everyone
What gave brand-landingpage its credibility was a stack of signals that buyers have been trained to trust. The skill inherited GitHub stars from a popular repository, which created an instant impression of community validation. It carried clean scanner results, which procurement teams treat as a green light. And it linked to plausible documentation, the kind of polished material that makes a reviewer relax. None of these signals described the actual behavior of the code, yet together they manufactured exactly the confidence an attacker needs.
This is the part enterprise leaders must internalize. The marketplace economy for AI skills borrowed its reputation mechanics from open source software, but it did not borrow the slow, social accountability that makes open source trust meaningful. Stars can be inherited or purchased. Verdicts can be gamed. Documentation can be generated in seconds. When the signals are cheap to fake and expensive to verify, they stop functioning as security and start functioning as decoration. We have built a procurement reflex around indicators that an adversary can assemble for almost nothing.
Skills Are Code, and Your Supply Chain Just Got Longer
For most of the past decade, supply chain security meant package registries, container images, and continuous integration pipelines. Agent skills are now a new tier in that chain, and they are arguably the most dangerous because they execute with the agent's privileges and often with access to corporate data, internal tools, and identity tokens. A compromised skill is not a vulnerable dependency buried three layers deep. It is an instruction set running at the center of a workflow that may touch email, code repositories, and customer records.
The brand-landingpage demonstration shows that the blast radius scales with adoption. Twenty six thousand agents is a meaningful population, and the same mechanics would work just as well inside a single large enterprise that standardizes on a shared skill catalog. We have repeatedly argued that agentic adoption outpaces governance, and this is a concrete example of the gap. The convenience of a centralized marketplace is also a centralized point of failure, and few security organizations have mapped that risk into their existing supply chain controls.
What CISOs Should Do Before the Next One Is Real
The defensive playbook starts with refusing to treat marketplace approval as sufficient. Skills that reference external links should be flagged, pinned to specific versions or content hashes, and re-evaluated whenever that external content changes. Enterprises should maintain an internal allowlist of vetted skills rather than letting agents install from public catalogs at will, and they should log and monitor what skills are present across their agent fleet, just as they inventory software on endpoints. Runtime controls matter too, because a skill that behaves well at review time can misbehave later.
More broadly, this is a moment to apply zero trust thinking to the agent layer. We do not let unverified code run with full privileges on a laptop, and we should not let unverified skills run with full privileges inside an agent. AIR's experiment was responsible research, but the next actor to discover this path will not be. The organizations that come out ahead will be the ones that assume marketplace trust is compromised, build their own verification, and treat every external reference as untrusted until proven otherwise.
The Marketplace Model Needs a Rethink
Stepping back, the deeper issue is that the AI skill marketplace inherited a distribution model that was never designed for components this powerful. App stores and package registries developed their trust mechanics over many years, with notarization, sandboxing, and slow reputation building, and even they suffer regular abuse. Skill marketplaces arrived almost overnight, granting agents broad privileges on the strength of a quick scan and some social proof. The mismatch between the power of these components and the maturity of the channel that distributes them is the root cause that AIR's experiment exposed.
We expect the platforms hosting these marketplaces to respond, and they should. Content-addressed skills that cannot be silently mutated, runtime sandboxing that limits what a skill can touch, and continuous re-evaluation rather than one-time approval are all achievable. Until those protections are standard, enterprises are right to be conservative. The convenience of an open skill ecosystem is genuine, but so is the risk, and the organizations that pair adoption with their own verification discipline will be the ones that get the productivity without inheriting the next 26,000-agent incident.
