
How a malicious AI agent skill passed security checks and reached 26,000 users
A fake AI agent skill that passed security checks reached over 26,000 users through Instagram, highlighting new risks as enterprises rely on AI-driven tools.
Some of the agents involved were tied to corporate accounts, AIR said. The company said a similar attack could have exposed private conversations and internal systems. AIR said no agents were harmed in the research and that the test payload collected only users’ email addresses so they could be notified.
The experiment centered on a skill called brand-landingpage, which was presented as a tool for helping users build a landing page with Google’s Stitch design tool. AIR said it chose the use case because it would appeal to non-technical ...