Security researchers have highlighted a growing supply-chain risk in the emerging AI agent ecosystem after successfully distributing a benign but deceptive agent skill that passed multiple security reviews and reportedly reached approximately 26,000 agents. The experiment was designed to test the effectiveness of existing skill-scanning technologies and trust mechanisms used by marketplaces that distribute AI agent capabilities to users and organizations.
The skill appeared legitimate on the surface, leveraging popular trust signals such as repository reputation, marketplace approval, and favorable scanner results. Researchers submitted the package to a widely used skill marketplace and promoted it through targeted advertising. While the skill itself contained no malicious code, it directed agents to an external website during installation. Initially, that website hosted harmless content, allowing security scanners to approve the package. After adoption increased, the researchers demonstrated how the external content could be modified without triggering a new review process.
The findings expose a fundamental limitation in many current AI agent security models. Most scanners analyze only the files submitted for review and do not continuously monitor external resources referenced by the skill. As a result, an attacker could potentially alter instructions, scripts, or payloads hosted outside the vetted package after approval has been granted. Researchers argue that this creates a persistent blind spot that cannot be addressed through static scanning alone and mirrors supply-chain attacks that have previously affected software package repositories and browser extensions.
While the researchers’ payload was intentionally harmless and collected only limited telemetry to measure adoption, the demonstration underscores broader concerns about the security of autonomous agent ecosystems. Security experts increasingly recommend treating AI skills and agent extensions as software components rather than simple instruction sets, requiring continuous validation, version pinning, external dependency monitoring, and strict permission controls. As AI agents gain deeper access to enterprise systems and sensitive data, trust in marketplace reputation and one-time security scans may prove insufficient to prevent future supply-chain compromises.
