Table of Contents
Key Takeaway
- 🚨 AI agent skill attacks are real: Security firm AIR built a fake AI agent skill that passed every security scanner and reached 26,000 AI agents, including some on corporate accounts, proving that current trust signals for AI tools are dangerously broken.
- 🎯 The attack exploited trust, not code: The fake skill named “brand-landingpage” inherited 36,000 GitHub stars from a popular repository, passed Cisco and NVIDIA scanners, and used an Instagram ad to spread — none of these signals caught the threat.
- 💡 The trick is structural: Security scanners check the skill package once at install time, but the skill can point agents to an external URL that gets swapped with malicious instructions after the scan. This “scan-once, change-later” flaw affects every major AI agent framework.
- 🛡️ OFWs using AI tools at risk: Overseas Filipino workers who use AI agents for side hustles, remote work, or business operations may install compromised AI agent skill packages without realizing the security implications, potentially exposing personal data and financial accounts.
- ⚡ Action required: Treat every AI agent skill as software, not text. Vet external links, pin versions, enforce least privilege, and never assume a clean scan at install stays clean forever.
An AI agent skill is supposed to make your work easier — a bundle of instructions that an AI assistant loads and follows on your behalf. But what happens when that helpful skill is a Trojan horse? In June 2026, cybersecurity firm AIR demonstrated exactly how dangerous the AI agent skill ecosystem has become, building a fake AI agent skill that bypassed every major security scanner and reached roughly 26,000 AI agents, including some on corporate accounts. For overseas Filipino workers (OFWs) who increasingly rely on AI tools for remote work, freelancing, and managing finances, this attack exposes a critical gap in AI security that no scanner alone can fix.
What Is an AI Agent Skill and Why It Matters
An AI agent skill is a package of instructions that an AI agent — such as Claude, ChatGPT, or any agentic AI system — loads into its context and executes with roughly the same authority as a user prompt. Think of it like a plugin or extension for your AI assistant. When you install an AI agent skill, you are giving it permission to act on your behalf: read your files, access your accounts, send emails, execute code, and more.
The AI agent skill model has exploded in 2026. Marketplaces like skills.sh, ClawHub, and others host thousands of skills with star counts, download numbers, and security scan badges — all signals meant to reassure users that a skill is safe. But as the AIR demonstration proved, every one of those trust signals can be faked or bypassed.
For OFWs who use AI agents to automate tasks — writing emails, managing spreadsheets, processing payments, translating documents — installing a compromised AI agent skill could mean exposing bank credentials, personal identification documents, or employer data to attackers. The risk is not theoretical. It has been demonstrated at scale.
How the Fake AI Agent Skill Attack Worked
Security firm AIR designed a fake AI agent skill called brand-landingpage that claimed to build landing pages using Google’s Stitch design tool. The skill was aimed squarely at non-technical users — marketers, salespeople, designers — the exact demographic that includes many OFWs running side hustles or small businesses online.
The attack unfolded in three stages:
Stage 1 — Inherited Trust: AIR submitted the skill as a pull request to a popular skill marketplace repository with approximately 36,000 GitHub stars and 156 existing skills. When the pull request was merged after a few days, the fake AI agent skill inherited all 36,000 stars from the parent repository. This made it appear wildly popular and trustworthy.
Stage 2 — Bypassed Every Scanner: The AI agent skill carried no malicious setup instructions in its own package. Instead, it told the agent to install the “Stitch SDK” by following documentation at an external link: stitch-design.ai — a domain AIR controlled, not Google (the real Stitch lives at stitch.withgoogle.com). At first, the link pointed to genuine Stitch documentation. Every scanner — Cisco’s, NVIDIA’s, and those built into skills.sh — saw a clean package pointing at a plausible URL and cleared it.
Stage 3 — The Switch: Once the AI agent skill was widely installed, AIR swapped the content behind stitch-design.ai. The new version instructed the agent to download and run a script. In the demonstration, the script only collected the user’s email address and sent it back to AIR — which is how the firm counted 26,000 infected agents. A real attacker could have used the same foothold to read files, exfiltrate data, access internal systems, or install ransomware — bounded only by what the agent could reach.
To amplify distribution, AIR ran an Instagram ad targeting marketers, salespeople, and designers. These users installed the skill and put it to work, never knowing that the instructions their agents followed had been silently rewritten.
Why Security Scanners Cannot Catch This Attack
The core problem is structural: security scanners check a fixed package at one moment in time. But an AI agent skill can point to an external URL whose content changes after the scan. The scanners analyze the SKILL.md and shipped files — not the pages the agent will fetch at runtime.
This is not a failure of any specific scanner. It is a fundamental limitation of the scan-once model. As Trail of Bits demonstrated three weeks before the AIR experiment, an attacker can keep tweaking the payload until it passes the scan, then swap the external content afterward. Trail of Bits bypassed ClawHub’s malicious-skill detector, Cisco’s scanner, and all three scanners wired into skills.sh using the same technique.
Anthropic’s own documentation already warns that AI agent skills fetching external URLs are risky for exactly this reason — the content at that URL can change after the skill is vetted. Separate research in 2026 found that scanners often disagree because each one judges a skill in isolation, blind to its external links and to what changes after review.
The implication is clear: the AI agent skill trust model is broken. GitHub stars can be inherited. Scanner badges can be fooled. Open-source reputation can be weaponized. None of the signals that users lean on to decide whether to trust an AI agent skill actually guarantee safety.
What This Means for OFWs and Filipino Workers
Overseas Filipino workers are among the most enthusiastic adopters of AI tools. A 2025 survey by the Philippine Department of Information and Communications Technology (DICT) found that over 60% of OFWs use AI-powered tools for work-related tasks, from translation and writing to financial management and job searching. Many OFWs run digital side hustles that depend on AI agents to automate customer service, content creation, or administrative tasks.
Here is how the AI agent skill attack specifically threatens OFWs:
Financial exposure: OFWs who use AI agents to manage remittances, track expenses, or process payments could inadvertently give a compromised AI agent skill access to bank accounts, digital wallets (GCash, Maya), or investment platforms. A malicious skill could silently redirect remittances or steal login credentials.
Identity theft: Many OFWs store copies of passports, work visas, residence permits, and employment contracts on their devices. A compromised AI agent skill with file-reading capabilities could exfiltrate these documents for identity fraud — a crime that disproportionately affects overseas workers.
Employer data breach: OFWs working in corporate environments in Saudi Arabia, UAE, Singapore, and other host countries may use AI agents with employer-issued accounts. The AIR experiment confirmed that the fake skill reached corporate accounts. A compromised OFW agent could become the entry point for a larger breach, potentially costing the worker their job and visa status.
Scam amplification: The Instagram ad distribution method used by AIR is the same channel scammers use to target OFWs with fake job offers and investment scams. An AI agent skill advertised on social media as a “free business tool” for OFWs could reach thousands before anyone detects the threat.
For Filipino workers already facing digital safety challenges — phishing, romance scams, fake recruitment — the AI agent skill attack adds a new dimension: the tools they trust to protect them can be compromised invisibly.
The Bigger Picture: AI Agent Security in 2026
The AIR experiment is not an isolated incident. It is part of a growing pattern of AI agent security failures in 2026:
Agentjacking attacks: Earlier in 2026, researchers demonstrated “agentjacking” — attacks that hijack AI coding agents to inject malicious code into software repositories. An agentjacking attack exploits the same trust model: the agent executes instructions from a skill or prompt with full user authority.
Instagram AI bot scams: Meta’s AI Support Bot on Instagram was exploited to hijack accounts, demonstrating that even platform-provided AI tools can be weaponized against users.
Copilot SearchLeak: Microsoft 365 Copilot was found vulnerable to a one-click data exfiltration attack dubbed “SearchLeak,” where a single click on a trusted link could pull emails, files, and MFA codes from enterprise search.
Supply chain targeting: The WordPress plugin ecosystem suffered similar attacks in June 2026, with attackers tampering with JavaScript files from PushEngage, OptinMonster, and TrustPulse to plant backdoors. The pattern is identical: trusted distribution channel, clean initial payload, malicious content served later.
Each of these attacks shares a common structure: they exploit the trust gradient between the user and the AI system. The user trusts the agent, the agent trusts the skill, and the skill trusts an external resource that can change. Breaking any link in that chain breaks the security model.
How to Protect Yourself from Fake AI Agent Skills
Whether you are an OFW using AI tools for personal productivity or an enterprise managing agents at scale, the defensive playbook is the same. The AIR researchers and Trail of Bits both converge on the same recommendations:
1. Treat every AI agent skill as software, not text. A SKILL.md file is not documentation — it is executable instructions. Apply the same scrutiny you would to any software package: who wrote it, what does it do, what does it access, and can it change after install?
2. Vet external links, not just the package. The AIR attack succeeded because scanners checked the shipped files but not the URL the agent would fetch at runtime. Before installing any AI agent skill, inspect every external URL it references. If a skill points to a domain you do not recognize, do not install it.
3. Pin versions and lock content. Prevent the “scan-once, change-later” attack by pinning skill versions and, where possible, downloading and freezing the external instructions locally so they cannot be swapped after install.
4. Enforce least privilege. Never give an AI agent skill more access than it needs. If a landing-page builder asks for file-system access or email permissions, that is a red flag. Configure your AI agent to require explicit approval for sensitive actions.
5. Audit what is already installed. Most AI agent skills get installed with zero review. Inventory every skill your agents are running. Check what each one accesses. Remove anything you do not recognize or no longer need.
6. Do not trust stars, downloads, or scanner badges. The AIR experiment proved all three can be faked. A skill with 36,000 stars and a “verified” badge can still be malicious. Base trust on code review and behavior analysis, not popularity metrics.
7. Monitor for changes. Set up alerts for any skill that fetches external content. If the content at an external URL changes after install, treat it as a potential incident. Re-scan and re-vet.
What Organizations Should Do About AI Agent Skill Risks
For companies employing OFWs or operating in the Philippines, the AI agent skill threat requires organizational-level defenses. The Philippine Securities and Exchange Commission (SEC) and the Philippine Stock Exchange already mandate cybersecurity protocols for publicly listed companies — AI agent security should be an extension of these existing frameworks.
Centralize skill distribution: Route all AI agent skill installations through a single controlled source — an internal marketplace or registry. Block agents from installing skills from external marketplaces without approval.
Implement runtime monitoring: Deploy tools that monitor what AI agents actually do at runtime, not just what the skill package says it will do. Log every file access, network request, and external URL fetch.
Require code review: Mandate that every AI agent skill used in production undergoes security review by a trained analyst — not just an automated scanner. The scanner is the first filter, not the last word.
Network-level controls: Block AI agents from accessing suspicious domains at the network level. If a skill tries to fetch instructions from an unrecognized domain, the request should fail closed.
Incident response plan: Have a plan for when a compromised AI agent skill is discovered. Know how to revoke skill permissions, quarantine affected agents, audit what was accessed, and notify affected users or regulators.
The Bangko Sentral ng Pilipinas (BSP) and the Department of Information and Communications Technology should consider issuing guidance on AI agent security for financial institutions and OFW-facing services, similar to existing guidelines on cybersecurity and digital banking.
Frequently Asked Questions (FAQ)
Q: What is an AI agent skill?
A: An AI agent skill is a package of instructions that an AI assistant loads and executes on your behalf. It is similar to a browser extension or phone app — it adds capabilities to your AI agent, but also requires permissions and trust.
Q: How did the fake AI agent skill bypass security scanners?
A: The skill package itself was clean — it contained no malicious code. Instead, it pointed the agent to an external website for setup instructions. The scanners checked the package only, not the website. After the scan, the attacker changed the website content to include malicious instructions.
Q: How many AI agents were affected?
A: According to security firm AIR, their fake AI agent skill reached approximately 26,000 AI agents, including some on corporate accounts. However, this figure comes from AIR alone and is not independently confirmed.
Q: Are OFWs specifically targeted by AI agent skill attacks?
A: OFWs are not specifically targeted, but they are disproportionately affected. Many OFWs use AI tools for remote work and side hustles, often with minimal security training. The fake skill was distributed via Instagram ads targeting non-technical users — the same channel used for OFW job scams.
Q: Can I check if my AI agent has compromised skills installed?
A: Review your agent’s installed skills list. Check each skill’s source, permissions, and external URL references. If you do not recognize a skill or it accesses sensitive data unnecessarily, remove it. Contact your IT department if you use a corporate AI agent.
Q: What security scanners were bypassed in this attack?
A: The attack bypassed Cisco’s AI agent skill scanner, NVIDIA’s scanner, and all three scanners built into the skills.sh marketplace. Trail of Bits separately bypassed ClawHub’s detector, Cisco’s scanner, and skills.sh scanners using the same technique.
Q: Is this attack limited to a specific AI platform?
A: No. The structural vulnerability — scanning a fixed package while the skill’s external content can change — affects any AI agent framework that allows skills to fetch external URLs. This includes Claude, ChatGPT with plugins, and any agentic AI system.
Q: What should I do if I think I installed a fake AI agent skill?
A: Immediately revoke the skill’s permissions, uninstall it, change any passwords the skill could have accessed, and check for unauthorized activity on your accounts. If the skill had access to financial accounts, notify your bank. Report the skill to the marketplace where you found it.
Disclaimer: This article is for informational purposes only and does not constitute professional cybersecurity advice. The attack described was a controlled security demonstration. Readers should consult qualified cybersecurity professionals for specific guidance on protecting their systems and data. References to specific companies, products, or security firms are for informational purposes and do not imply endorsement.
