```
Security researchers have exposed a fundamental blind spot in how AI agent skill marketplaces vet incoming software, after a fabricated skill slipped past every automated scanner on a widely used platform and was adopted by an estimated 26,000 agents — including instances tied to corporate accounts.
The proof-of-concept, built by security firm AIR and reported by The Hacker News, involved creating a fake AI agent skill with a deliberately benign payload: it collected the user's email address and did nothing further. Distributed through both a popular skill marketplace and an Instagram advertisement, the skill was flagged as safe by every security scanning tool the researchers evaluated.
The Scanner Gap
The experiment was designed to expose a critical weakness in how AI ecosystems currently handle trust. Automated pre-publication scanners — the primary gatekeeping mechanism for most AI agent skill marketplaces — rely on static code pattern analysis. While effective at catching known malware signatures, these tools cannot assess contextual risk. A skill that harvests user email addresses looks structurally identical to one that legitimately requires such data to function.
AIR's technique exploited this limitation directly. The fake skill passed scanner checks by using a mutable external link — a mechanism that allowed the skill's actual behaviour to be modified after publication without triggering a rescan. Because the scanners evaluated the skill at a single point in time and could not account for dynamically changing functionality, the malicious data-harvesting action remained invisible to every tool tested.
The implication is stark: when every scanner flags a data-harvesting tool as safe because it cannot distinguish intent from function, the entire trust model underlying these marketplaces is broken.
Corporate Exposure
Perhaps most concerning is the skill's reach into corporate environments. According to AIR, some of the 26,000 affected agents were running on corporate accounts, meaning employees installed the skill on work-managed AI platforms without triggering security alerts. This creates an ungoverned risk vector that most organisations have yet to address in their acceptable use or procurement policies.
The finding echoes a recurring pattern in technology adoption: rapid ecosystem growth consistently outpaces its security model. AI agent skill marketplaces appear to be following the same trajectory as earlier software distribution platforms — app stores, npm packages, and browser extensions — all of which weathered supply-chain trust crises before more robust vetting mechanisms caught up.
A Case for Continuous Verification
The research points toward a need for what security professionals increasingly describe as a continuous trust and verification model. Rather than relying solely on point-in-time scans at publication, marketplaces and platform providers would need to implement runtime behavioural monitoring that evaluates what a skill actually does once installed and running in context — including detecting changes introduced through mutable external resources after initial approval.
Such a model would involve several components: granular, context-aware permission systems — where a weather-checking skill, for example, cannot request access to user contact data; verifiable supply chain provenance tracking code origin, authorship, and update integrity; and ongoing integrity verification rather than one-off publication checks.
An Inflection Point for the Industry
The experiment arrives as AI agent adoption accelerates across enterprises worldwide. With organisations increasingly integrating autonomous AI agents into workflows — granting them the ability to read emails, manage calendars, and access internal databases — the attack surface for supply-chain-style compromises grows proportionally.
The 26,000-agent figure is particularly striking given that the payload was intentionally harmless. A malicious actor deploying the same distribution techniques with an actual data exfiltration payload could, in principle, achieve comparable scale with real consequences.
Open questions remain about who should bear responsibility for developing more sophisticated monitoring tools — marketplace operators, independent security vendors, or industry consortiums — and what governance frameworks are needed to mandate supply chain provenance standards. For IT professionals and administrators, the immediate takeaway is clear: default trust settings in current AI agent ecosystems should not be assumed sufficient, and organisations need explicit policies that treat employee-installed AI skills as a distinct risk category.
安全研究人員揭露了 AI 代理技能市場在審核軟件方面的根本盲點,一個偽造的技能在一個廣泛使用的平台上繞過了所有自動掃描器,並被估計 26,000 個代理採用——其中包括與企業帳戶關聯的實例。
這個概念驗證由安全公司 AIR 構建,並由 The Hacker News 報道,涉及創建一個具有刻意無害 payload 的假 AI 代理技能:它收集用戶的電郵地址,除此之外沒有其他動作。通過一個熱門技能市場和一則 Instagram 廣告進行分發後,該技能被研究人員評估的所有安全掃描工具標記為安全。
掃描器漏洞
這項實驗旨在揭露 AI 生態系統目前處理信任方面的關鍵弱點。自動化的事前發佈掃描器——大多數 AI 代理技能市場的主要把關機制——依賴靜態程式碼模式分析。雖然能有效捕捉已知的惡意軟件簽名,但這些工具無法評估上下文風險。一個收集用戶電郵地址的技能,在結構上與一個合法需要此類數據才能運作的技能完全相同。
AIR 的技術直接利用了這一局限。該假技能通過使用一個可變外部連結來通過掃描器檢查——這種機制允許技能的實際行為在發佈後被修改,而無需觸發重新掃描。由於掃描器僅在單一時間點評估技能,無法應對動態變化的功能,惡意的數據收集行為對所有測試工具均不可見。
其含義十分明顯:當每個掃描器都將一個數據收集工具標記為安全,因為它無法區分意圖與功能時,這些市場背後的整個信任模型就已經崩潰。
企業暴露風險
最令人擔憂的或許是該技能滲透到企業環境的程度。根據 AIR 的說法,在受影響的 26,000 個代理中,有些是在企業帳戶上運作,這意味著員工在未觸發安全警報的情況下,將該技能安裝在受工作管理的 AI 平台上。這造成了一個不受治理的風險途徑,大多數組織尚未在其可接受使用或採購政策中解決這一問題。
這一發現與技術應用中反覆出現的模式相呼應:快速的生態系統增長持續超越其安全模型。AI 代理技能市場似乎正沿著與早期軟件分發平台相同的軌跡發展——應用程式商店、npm 套件和瀏覽器擴展——所有這些平台都經歷了供應鏈信任危機,之後更穩健的審核機制才得以跟上。
持續驗證的必要性
這項研究指向了安全專業人士日益描述為「持續信任與驗證模型」的需求。市場和平台提供者不能僅僅依賴發佈時的單次掃描,而需要實施 runtime 行為監控,以評估一個技能在安裝並在上下文中運作後的實際行為——包括偵測在初始審核後通過可變外部資源引入的變更。
此類模型將涉及幾個組成部分:精細的、上下文感知的權限系統——例如,一個檢查天氣的技能不能請求訪問用戶的聯絡人數據;可驗證的供應鏈來源追蹤代碼的來源、作者和更新完整性;以及持續的完整性驗證,而非一次性的發佈檢查。
行業的轉折點
這項實驗出現之際,正值全球企業加速採用 AI 代理。隨著組織越來越將自主 AI 代理整合到工作流程中——賦予它們閱讀電郵、管理日曆和訪問內部數據庫的能力——供應鏈型攻擊的攻擊面也隨之按比例增長。
鑑於 payload 是刻意設計為無害的,26,000 個代理的數字尤其引人注目。一個惡意行為者若使用相同的分發技術並搭載實際的數據竊取 payload,原則上可以達到類似的規模並帶來真實的後果。
關於誰應承擔開發更複雜監控工具的責任——是市場營運商、獨立安全供應商還是行業聯盟——以及需要什麼治理框架來強制執行供應鏈來源標準,這些問題仍然懸而未決。對於 IT 專業人員和管理員而言,當前的要點十分明確:不應假設當前 AI 代理生態系統中的預設信任設定是足夠的,組織需要明確的政策,將員工安裝的 AI 技能視為一個獨特的風險類別。