It looked like an ordinary AI agent skill, promoted through a harmless Instagram ad. Instead, it was a cybersecurity experiment that exposed deep cracks in the ecosystem of intelligent assistants: a fake ability built by security firm AIR managed to bypass every security scanner tested, reaching roughly 26,000 agents, including those running on corporate accounts. The payload, by design, was harmless – it only collected non-sensitive test data. But the message is clear: trust placed in skill marketplaces can become an attack vector that slips past unnoticed.

An deception built to pass every check

AIR built an artificial skill disguised as a useful tool, uploaded it to a popular AI agent marketplace, and promoted it with an Instagram ad campaign. The goal was to see whether automatic validation mechanisms – often based on static code analysis and lightweight sandboxes – could recognize a potentially malicious component. The answer was a dry “no”: every security scanner that was put to the test marked the skill as safe. The skill accumulated around 26,000 installations, even reaching corporate environments where agents operate with access to internal data and processes.

The dynamic recalls well-known issues with traditional app stores, but the stakes are higher here. An AI agent does not simply perform isolated actions; it can interact with knowledge bases, call APIs, read conversations. A malicious skill could exfiltrate information, manipulate decision flows, or pave the way for more complex attacks, all without the scanners detecting anything.

Corporate agents in the crosshairs (even if only a simulation)

That the experiment also infected corporate accounts is not a colorful detail: it shows that the AI software supply chain is a weak link even for the most structured organizations. Many companies are integrating agents into workflows, but they often rely on public marketplaces to extend functionality, overlooking the fact that every installed skill effectively becomes code running inside the application perimeter.

Those who adopt on-premise or self-hosted deployments have wider protection margins, because they can decide not to rely on external registries at all, curating an internal repository of verified skills. For those evaluating a local architecture, the AIR case warns against the temptation to save time by tapping into insufficiently controlled third-party components. The trade-off is between speed of integration and security assurance: choosing a private stack forces investment in skill governance, but it returns control over what actually gets executed.

Why data sovereignty requires code control too

When we talk about data sovereignty and regulatory compliance, the mind immediately goes to where data physically resides and how it is processed. This incident signals that the risk surface extends to third-party code executed inside agents, even when the LLM and data stay on-premises. A fake skill could read data in plaintext during execution, without even needing to transmit it externally, because it operates with the same privileges as the agent.

In an on-premise scenario, it is possible to enforce code-signing policies, manual skill review, and confined execution environments. However, automatic scanning tools alone prove fragile. AIR’s experiment shows how necessary it is to layer multiple defenses: human review, behavioral testing, and limiting skill capabilities to what is strictly necessary. Data sovereignty, in short, is a project that demands scrutiny not only of the data but of every line of code that touches it.

Beyond the scanner: what this episode teaches us

The story of the fake skill is not a catastrophic data breach, but a wake-up call arriving just as AI agent adoption accelerates. Skill marketplaces will become increasingly popular, yet their security still relies on checks that can be bypassed. Those preparing an on-premise deployment, or simply wanting to protect sensitive workloads, should view the AIR case as a spur to build an internally managed skill ecosystem, where trust is not blindly delegated to static analysis.

The absence of any scanner alerts, combined with the simplicity of the attack, highlights a gap that the technical community must close quickly. For AI-RADAR, which closely watches autonomous implementations, the experiment suggests that the real differentiating value of an on-premise stack is not only control over data residency, but the ability to fully close the software supply chain, making every component verifiable and every execution traceable.