Your AI agent skills just passed every security scanner. All 26,000 of them were compromised.

Researchers at AIR built a malicious AI agent skill in under an hour.

They submitted it to a popular open-source repository with 36,000 GitHub stars.

The PR was merged in days.

Then they ran an Instagram ad.

26,000 agents installed it. Including corporate accounts.

Every security scanner - Cisco, Nvidia, skills.sh - cleared it as safe.

Here's why static scanning is now theater.

The skill pointed to a fake Google Stitch domain. At install time, it redirected to the real one. Nothing suspicious.

After gaining trust and distribution, AIR flipped a switch. The same URL now delivered a script that collected email addresses from every machine that ran it.

The payload could have been anything. AWS keys. GitHub tokens. Internal system credentials. The researchers stopped at emails to prove the point.

Your CISO's security stack just failed at the first layer of the AI supply chain.

Skills are not prompts. They are executable instruction bundles that inherit agent permissions. The enterprise that treats them like text files is the enterprise that gets breached through its own tools.

Audit every AI agent skill in your environment today. If it references an external URL you don't control, you are one domain change away from a full compromise.

SOURCE: https://www.air.security/blog-posts/the-story-of-skills
VERIFIED: AIR Security primary disclosure, CSO Online June 24 2026, Digital Applied analysis June 23 2026
SIGNAL: Static security scanning just proved it cannot protect enterprise AI agents. Every CISO running AI tools needs to see this before their next board meeting.