What happened
A controlled security experiment has revealed a significant weakness in AI agent ecosystems after a malicious AI skill successfully bypassed security scans and spread to more than 26,000 AI agents.
The research was conducted by cybersecurity researcher Niv Hoffman, who created a seemingly legitimate AI skill called “brand-landingpage.” The tool was presented as a no-code solution for building product landing pages using Google’s Stitch platform and provided genuine functionality, helping it gain trust among users.
The skill was promoted through public marketplaces, GitHub repositories, and social media channels. To further increase credibility, it was merged into a popular GitHub-based plugin marketplace with tens of thousands of stars. Security scanners from multiple vendors reviewed the skill and classified it as safe.
The attack did not rely on malware hidden inside the skill itself. Instead, it exploited a gap in how AI skills are evaluated. Most security tools examine only the local contents of a skill and do not fully inspect external resources linked through documentation or installation instructions.
The skill directed AI agents to an external website that initially appeared legitimate. After adoption increased, the researchers changed the external content, instructing agents to download and execute a script. Because the instructions came from what appeared to be trusted documentation, the agents complied.
Who is affected
The findings affect organizations and individuals using AI agents that can install third-party skills, plugins, or extensions.
More than 26,000 agents reportedly installed the skill, including agents operating in enterprise environments. According to Hoffman, a real attacker could potentially use the same technique to access private conversations, internal business tools, sensitive corporate information, or other resources available to compromised agents.
Organizations that allow employees to independently install AI add-ons may face elevated risk because these tools often operate with broad permissions and limited oversight.
Why CISOs should care
The experiment highlights an emerging AI supply chain risk that differs from traditional software security threats.
Unlike conventional applications, AI skills can change behavior after deployment by modifying external resources that agents continue to trust. As a result, a one-time security scan may not identify future malicious activity.
The incident also demonstrates that trusted marketplaces, strong reputation signals, and existing security scanners may not be sufficient to detect AI-specific threats. As AI agents gain access to business systems and sensitive data, the potential impact of a compromised skill increases significantly.
3 practical actions
- Require centralized review and approval before employees install third-party AI skills, plugins, or agent extensions.
- Implement continuous monitoring of AI agent behavior, including changes to external resources and documentation referenced by installed skills.
- Expand security assessments to evaluate external dependencies, linked content, and post-installation behavior rather than relying solely on static scans.
