Security firm AIR conducted a controlled experiment publishing a fake AI agent "skill" in a popular agent ecosystem marketplace. The tool reached approximately 26,000 agents—including corporate accounts—despite no marketplace security scanner flagging it as malicious. The payload was deliberately harmless (email collection), but the experiment proved a real gap: AI agent ecosystems lack mature supply chain security mechanisms analogous to npm, PyPI, or the Chrome Web Store. For B2B companies deploying AI agents in operations, sales, and IT support, this is an alarm signal.
AI Agent Skills as New Supply Chain Vector
Skills/extensions for AI agents are modules extending agent capabilities—API integration, file access, email sending, code execution. Users install skills with one click, often without code review. In AIR's experiment, the skill passed automated scans and gained user trust through positive descriptions and branding. The 26,000 agent scale shows how quickly a malicious skill could spread in corporate environments.
In B2B context, an agent with CRM access, corporate knowledge base, and email could exfiltrate customer data, inject false responses, or escalate privileges via prompt injection—even with "harmless" PoC email collection, the precedent is clear.
AI Agent Security Policy
- Skill whitelist – only approved skills from internal catalog.
- Code review – mandatory skill code review before deployment.
- Sandbox – production agents without sensitive data access until audit.
- Monitoring – log all agent actions and alert on unusual API calls.
- No prod marketplace – block public marketplace installs on corporate accounts.
Parallel with Chrome Extensions and npm
History repeats patterns known from Chrome extensions (10M+ install backdoors) and npm supply chain—trust in marketplaces and automated scanners without human review leads to incidents. AI agent ecosystems are younger and less regulated—no SBOM for skills, no signed packages, immature vulnerability disclosure.
Organizations should treat AI agent deployment with the same rigor as new SaaS with production data access: DPIA, vendor assessment, security contract clauses, right to audit.
Secure Enterprise Agent Deployment
Through our AI solutions, we design agent architectures with governance layers: internal skill registry, RBAC on agent actions, test/prod data separation, and SIEM integration. Agents should not have write access to critical systems without human approval workflows.
IT departments should inventory: how many AI agents are in use, which skills are installed, who approved them. Shadow AI agents—like shadow IT—are growing risk.
AI Act and Skill Marketplaces
The EU AI Act introduces transparency and risk management requirements for high-risk AI systems. AI agents with customer data access may qualify—unaudited marketplace skills create compliance gaps. DPOs should assess whether external skill installation requires DPIA and whether marketplace vendors provide sufficient security guarantees.
Internal AI governance boards—with IT, legal, DPO, and business participation—should approve every skill before production deployment, analogous to SaaS application APM processes.
Technical Controls for AI Agent Marketplaces
IT should implement technical controls blocking public marketplace skill installation on corporate accounts: endpoint DLP, marketplace API-filtering proxies, Conditional Access policies blocking OAuth to unapproved AI applications. These controls supplement procedural policy—users should not bypass approval by installing skills on personal accounts connected to corporate data.
Quarterly approved skill reviews and unused skill removal reduce attack surface—analogous to quarterly IAM access reviews.
The AIR experiment shows marketplace scanners don't replace code review—organizations should require skill/open-source agent extension vendors provide public repositories with commit history and signed releases. Code opacity is a red flag in approval processes.
When deploying AI agents in customer-facing processes (support, sales), every skill affecting customer communication requires legal department approval—prompt injection risk in customer responses is reputational and legal threat.
Maintain a registry of all AI agents in the organization (shadow AI inventory)—analogous to CMDB. Without registries, the AIR experiment repeats in every company that doesn't know how many skills are actually installed.
Define maximum data classification level each AI agent skill may access—skills handling public marketing content should not share execution environment with agents accessing confidential contracts.
Conclusion
The AIR experiment proves supply chain gaps in AI agent ecosystems. 26,000 fake skill installations warn against mass deployment without governance. We invite AI security policy consultations through our AI solutions and IT services for businesses.
Source: The Hacker News – Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents