PERMISSION/PROTOCOL
Back to incident tracker

2026-06-23

HighVendor post

Fake AI Agent Skill Bypassed All Security Scanners and Reportedly Reached 26,000 Agents via Staged External Payload

AIR Security built a fake agent skill that bypassed Cisco, NVIDIA, and skills.sh scanners to reach ~26,000 agents by staging its malicious payload at an external URL the scanners never check.

AIR Security / brand-landingpageTool execution / MCPFake skill / staged external payload bypassAI agent runtime / skill execution context across ClawHub and skills.sh

What happened

AIR’s fake skill instructed agents to fetch installation docs from stitch-design.ai, an AIR-controlled domain. After achieving wide installation, AIR replaced the page content to instruct agents to download and run a script that exfiltrated the user’s email address.

Why it matters

Approximately 26,000 agents (including corporate accounts, per AIR’s count) executed instructions from an attacker-controlled external URL. The live payload harvested email addresses; a real operator using the same technique could have read files, exfiltrated credentials, or accessed internal systems bounded only by the agent’s permissions.

Missing authorization check

An authorization gate requiring explicit approval before a skill can instruct an agent to fetch and execute external content — enforced at runtime, not just at install-time package scan.

Would PP block it?

PP’s enforcement sits at the action layer, not the skill installation layer. File reads, network calls, and script executions triggered by the swapped external page would each require a PP-signed receipt from an authority outside the skill. The initial email-harvest network request might not reach PP’s enforcement boundary depending on agent configuration. What PP closes: a compromised skill cannot instruct arbitrary high-privilege actions (file mutation, shell execution, credential access) without an explicit authorization receipt.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-06-03

    Trail of Bits publishes research showing the same scanner-bypass technique against ClawHub’s detector, Cisco’s scanner, and all three scanners in skills.sh.

  2. 2026-06-23

    AIR Security publishes its brand-landingpage experiment, claiming approximately 26,000 agent installs including corporate accounts via ClawHub and an Instagram ad.

  3. 2026-06-23

    The Hacker News covers the AIR research; notes scale figures are unconfirmed but independently demonstrates the external-link blind spot in static scanners.

  4. 2026-06-24

    CSO Online and The Next Web confirm scanners judge only the submitted package — not live external links — and that real campaigns have used the technique for months.

Technical breakdown

  • brand-landingpage shipped no malicious code. It instructed agents to install the Stitch SDK by fetching docs from stitch-design.ai — an AIR-controlled domain that initially mirrored genuine Google Stitch docs, so scanners cleared it.
  • All three tested scanners (Cisco, NVIDIA, skills.sh) analyze only the submitted package at install time. None fetch or monitor the external URLs the skill points to, creating a permanent blind spot for staged payloads.
  • Stars were boosted by merging a PR into a 36K-star skill marketplace repository, giving the skill inherited social proof that required no code review and is indistinguishable from genuine popularity.
  • After achieving approximately 26,000 installs, AIR swapped the content at stitch-design.ai to instruct agents to download and run a script — demonstrating time-delayed staged payloads that fully bypass install-time scanning.
  • The attack exploits the structural gap between static package scanning and dynamic runtime instruction: scanners check a snapshot; attackers control what agents fetch at runtime.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
File mutation gate, shell execution gate, external API call gate
Still needs
Skill installation path and the initial external URL fetch are not within PP’s enforcement boundary; the staged-payload scanner-bypass technique is not stopped at the registry layer
Receipt required for
Script execution, file reads, and external network calls made on behalf of skill instructions fetched from external URLs

PP receipts are signed at the action layer. A skill pointing at an external URL for instructions cannot produce a PP-signed receipt for the high-impact actions that external page instructs the agent to perform — the authority chain is external to the skill installation path.

Related incidents and controls

High2026-06-22

23 ClawHub Plugins Published Under Official @openclaw/ and @clawhub/ Scopes by Unauthorized Accounts, Exposing Claude Code and Cursor to Supply Chain Risk

Critical2026-02-05

ClawHavoc: 1,184 Malicious Skills Uploaded to OpenClaw ClawHub Marketplace Delivering Atomic Stealer Targeting API Keys, SSH Creds, and Browser Passwords

High2026-05-19

TrapDoor Cross-Ecosystem Supply Chain: 34 Packages Planted Hidden AI Instructions in CLAUDE.md and .cursorrules to Poison Coding Assistants on Developer Machines

Critical2026-06-07

Hades Python Wave Stole 294,842 Secrets from 6,943 Developer Machines by Poisoning AI Tool Config Files and PyPI Startup Hooks

Runtime Gate Audit Receipt

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop