Malicious AI Skill Compromises 26,000 Agents via Security Scanner Bypass

A security experiment revealed that a malicious AI agent skill successfully compromised over 26,000 AI agents. The attackers exploited structural flaws in the vetting process of agent skills, creating a deceptive skill that appeared legitimate. By hosting malicious instructions on an external URL, they bypassed automated security scanners from major vendors, making the payload undetectable during initial inspections. This incident highlights significant vulnerabilities in the security measures for AI agents. The attack method leveraged the trust placed in external URLs, which allowed the malicious skill to remain hidden. The current status indicates ongoing discussions about the implications of this breach and potential remedial measures. No specific CVEs or tools were mentioned in the articles.

Key Points: • Over 26,000 AI agents were compromised through a deceptive skill. • The attack exploited flaws in the vetting process for AI agent skills. • Malicious instructions were hosted externally to bypass security scanners.