AIR’s fake AI agent skill hit 26,000 agents and passed every scanner

Security firm AIR built a fake AI agent skill, pushed it into a popular skill marketplace, and promoted it with an Instagram ad. The firm says the stunt reached roughly 26,000 agents, including some on corporate accounts, and that every skill security scanner it tested the skill against marked it safe.

That combination is the entire story. AIR’s point is not that the payload was explosive or visibly malicious. The payload was designed to be harmless, collecting only what AIR says it collected, and yet the skill still sailed through the security checks and reached a very large installed base, fast. When “marked safe” does not mean “safe,” decision-makers need to rethink what their defenses actually cover.

To understand why this matters, zoom out for a second. AI agents and their “skills” are increasingly packaged like apps. They are often discovered through marketplaces, enabled with a few clicks, and distributed to lots of users at once. That creates a tension that is basically the same one that app stores have dealt with for years: scale. The moment distribution is easy, adversaries do not need to be brilliant. They need a channel that accepts submissions and a detection layer that can be fooled.

AIR’s scenario illustrates the detection gap using a scenario that is intentionally low-drama on impact and high-drama on process. In a lot of security programs, a scanner is used as a gate. If the scanner says the skill is safe, the business assumes the risk is low enough to move forward. AIR’s test suggests that the scanner coverage may be narrower than the risk surface that matters in practice: what gets uploaded, what gets executed, what can be triggered, and what metadata or behavior gives away intent.

The report also suggests something about incentives, not just technology. Marketplaces want engagement and participation, and promoters want reach. AIR used an Instagram ad to push the skill, which is a reminder that distribution does not live only inside security reviews. It can also live in normal marketing channels that do not care about threat modeling. If a marketplace relies heavily on automated scanning at submission time, attackers may only need to craft a payload that passes those particular checks, even if the real objective is to validate how far they can get.

And there is the corporate wrinkle. AIR says it reached “including some on corporate accounts.” That detail is a huge deal for security leaders, because it is one thing to test against consumer setups, and another to discover that enterprise-adjacent instances are not automatically safer. Corporate accounts typically come with additional controls, but the existence of corporate exposure implies at least two possibilities: either enterprises do not tightly restrict third-party skills, or the skills can be enabled in ways that still make scanning conclusions look reliable on paper. Either way, the gate you trust might not be the gate you have.

Regulatory background matters here because lawmakers have been chasing the same basic problems, just with different labels. Across AI governance discussions, the recurring themes are risk management, transparency, and accountability for what gets deployed and how it is monitored. Incidents like this do not need to involve a catastrophic payload to be relevant to regulators. They show systemic weaknesses: marketplace ecosystems can distribute software that passes automated screening, even when the overall system assumptions fail.

For executives, boards, and security leaders, the second-order implication is brutal: a “safe” scanner report may be a necessary but insufficient condition. If a harmless payload can still reach roughly 26,000 agents, including corporate ones, then the practical question becomes what other signals your organization needs besides scanner outcomes. For example, organizations may need tighter controls on skill onboarding, stronger monitoring of agent behavior after installation, and clearer policies about what kinds of skills are allowed on enterprise accounts.

The competitive stake is not just “avoid bad skills.” It is also brand and trust. If users or customers learn that security scanners can be bypassed and that marketplaces can distribute risky functionality at scale, the entire category suffers. Executives in the agent and automation space should take this as a forcing function: assume attackers will treat automated gates as targets, not as guarantees, and build defenses that work after the distribution step. AIR’s test is a warning shot because it is easy to replicate in spirit, and because it demonstrates scale without obvious harm, which is exactly how real security failures often begin.