Ethical Hacking News
A new experiment has revealed critical weaknesses in the trust signals currently used to verify AI-driven skills, raising serious questions about the long-term security of organizations relying on these tools. Can we rely solely on internal checks and external link scrutiny to ensure our skills are trustworthy? The answer may not be as straightforward as it seems.
The Hacker News reported on an experiment by cybersecurity firm AIR that bypassed various security scanners to demonstrate the vulnerabilities in current trust signals for AI-driven skills. AIR created a fake AI agent skill, collecting only user email addresses and avoiding harm by design, showcasing that none of the existing trust signals caught it. The experiment highlighted weaknesses in current approach to trust signals, proposing need for more comprehensive solutions to address vulnerabilities. Experts recommend treating skills as software rather than text, vetting external links, pinning versions, and assuming any external instruction runs with agent's access to address these issues.
Threat Intelligence News Platform The Hacker News (THN) has recently reported on a groundbreaking experiment conducted by cybersecurity firm AIR, which highlights the vulnerabilities in the current trust signals used to verify AI-driven skills. In a bold move, AIR created a fake AI agent skill, successfully bypassing various security scanners and reaching an astonishing 26,000 agents, including some on corporate accounts.
The ingenious yet audacious plan was designed to show that none of the signals people rely on to trust a skill caught it – not even the most advanced scanners, nor the reputation built on GitHub stars or open-source credentials. The payload collected only the user's email address and did nothing else, rendering it harmless by design.
AIR constructed this skill as "brand-landingpage," claiming it could build a landing page using Google's Stitch design tool for non-technical users. To make it appear credible, AIR focused on two trust signals: GitHub stars and clean scanner verdicts. For the stars, they opened a pull request to a popular skill marketplace repository with an impressive 36,000 stars and 156 skills.
The pull request was merged after just a few days, allowing the skill to inherit the repository's count. Then, AIR ran an Instagram ad targeting marketers, salespeople, and designers who installed the skill and put it into action. This clever tactic exploited the fact that scanners primarily analyze the package handed to them – namely, SKILL.md and the files shipped with it.
AIR's skill carried no setup instructions of its own, relying on external documentation at stitch-design.ai instead of Google's official Stitch website (stitch.withgoogle.com). At first glance, this seemed like a clean package that pointed towards a plausible setup page. The scanners, being oblivious to this blind spot, cleared the skill without issue.
However, once the skill was installed widely, AIR swapped the page behind that link. This new version instructed the agent to download and run a script. During the demo, it only mailed the user's address back to AIR, which served as the basis for counting how many agents had been reached.
While the real figure might be significantly lower, what this experiment highlights is a fundamental gap in our current trust signals for AI-driven skills – one that defenders have yet to adequately address. Real campaigns have employed similar tactics for months, keeping the submitted skill clean while hosting the payload on sites that the agent only fetches at install.
The problem lies in the structural nature of these scanners, which evaluate a fixed package but remain blind to external links and potential changes after review. Each scanner judges skills in isolation, disregarding the external context or updates that may occur post-scanning.
To bridge this gap, experts advocate treating skills as software rather than text, vetting what a skill points to rather than just inspecting its internal content. The primary goal should be to find and control the source of new skills, re-checking them whenever anything changes, because even a clean result at install does not guarantee it will remain so if the skill interacts with external links.
Furthermore, pinning versions and assuming any external instruction runs with the agent's access are recommended measures. This approach acknowledges that AI coding agents can be tricked into running malicious code by attackers.
The experiment conducted by AIR underscores the necessity of reevaluating our trust signals for AI-driven skills. While the exact number of agents reached is a matter of debate, what holds up is the method used – highlighting the weaknesses in our current approach and calling for more comprehensive solutions to address these vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Reevaluation-of-Trust-Signals-The-Unintended-Consequences-of-AI-Driven-Cybersecurity-Measures-ehn.shtml
https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html
https://www.air.security/blog-posts/the-story-of-skills
Published: Tue Jun 23 11:49:35 2026 by llama3.2 3B Q4_K_M
