Once the skill had gained distribution, AIR changed the content behind the fake Stitch documentation. The revised page instructed agents to download and run a script. In AIR’s test, that script collected the user’s email address, but the company said the same approach could have been used to compromise machines running the agent.
AIR said the experiment showed that AI agent skills cannot be assessed only by scanning their packaged files at the time of approval or installation. The issue, it said, is that a skill can pass review while still pointing an agent to a web page that changes later.
AI skills pose dependency risk
For security teams, the concern is not only that the skill passed review, but that its behavior could change after trust had already been granted.
The test suggests CISOs may need to treat AI skills as part of the enterprise software supply chain, rather than as simple prompts or text files, according to cybersecurity researcher Devashri Datta.
