Fake AI Agent Skill Passes Marketplace Scanners, Reaches 26,000 Agents
What Happened — Security firm AIR created a counterfeit AI‑assistant skill, submitted it to a popular skill marketplace, and promoted it via an Instagram ad. The skill was flagged as safe by every automated scanner the firm tested, yet it silently harvested the email address of each user and was installed on roughly 26,000 agents, including corporate‑managed devices.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a gap in third‑party risk controls: automated marketplace scans alone cannot guarantee that a vendor‑supplied component is free of malicious behavior.
- SOC 2 vendor‑management criteria (CC6.1, CC6.2) require continuous monitoring of third‑party services and evidence that due‑diligence processes are effective over time.
- Continuous‑compliance programs need auditable proof that vendor‑risk assessments are validated against real‑world behavior, not just static scanner results.
Who Is Affected — Enterprises that integrate AI‑assistant skills (tech SaaS, contact‑center platforms, HR bots), AI marketplace operators, and any organization that permits employees to install third‑party skills on corporate devices.
Recommended Actions
- Re‑evaluate vendor‑risk policies to include behavioral testing of third‑party AI skills, not just static code scans.
- Map the incident to SOC 2 CC6.1 (Vendor Management) and CC7.1 (System Operations) controls; collect evidence of continuous monitoring and post‑deployment testing.
- Implement a process for periodic, independent penetration testing of marketplace‑delivered components, and retain logs as audit evidence.
Technical Notes — The malicious skill leveraged the marketplace’s skill‑submission workflow and an Instagram ad to drive installations. Its payload was limited to email collection, but the technique shows how a seemingly benign AI skill can bypass conventional vulnerability scanners. Source: The Hacker News