26,000 AI Agents Hijacked: How to Tell If an AI Skill Is Safe

A security firm just slipped a fake skill into a trusted marketplace, ran a single Instagram ad, and infected 26,000 AI agents before anyone noticed. Nobody got robbed. But the way they pulled it off should change how you download things.

A skill is a small add-on you hand your AI so it can do one specific job, like build a landing page or tidy up a spreadsheet. Drop it in and your AI suddenly knows how to do the thing. The exact person this was built for is not a coder. You see an ad that says "make a branded landing page, no code needed," you install it, and it feels like magic. That person is most of us.

The badge and the star count looked safe. The real payload lived on a page they could change after approval.

What Actually Happened

A company called AIR ran this as a controlled experiment, and the play was clean and simple. They built a fake skill, gave it a trustworthy home, and pointed normal people at it.

Here is the whole thing, start to finish:

They built a fake skill - called "landing page," promising a no-code branded site
They submitted it - to a popular marketplace with 36,000 stars, like any normal contribution
It got approved and merged - so it borrowed the marketplace's whole reputation
They ran one Instagram ad - aimed at marketers, designers, and salespeople, who installed it
Every scanner passed it - including Cisco's and Nvidia's, all marked it completely safe

They say it reached 26,000 agents, some on company accounts too.

The Honest Part

Credit where it is due, this was a test and nothing got stolen. The "malicious" code did one harmless thing: it collected an email address so they could tell people they had been caught.

A couple of things to keep in mind so you read this straight:

The 26,000 number is their claim - and they sell a paid fix, so hold the exact figure loosely
The method is the real story - it is simple, it works, and it needs your attention

What The Scanners Missed

The dangerous part was never in the files anyone checked. The skill just told your AI to go grab something from an outside web link, a fake copy of a real Google tool, and the actual payload lived on that page. A page they could quietly change anytime after it got approved.

So every trust signal you were trained to look for told you nothing. Here is what each one actually means:

The signal	What you think it means	What it actually means
Green "safe" checkmark	The code was checked	Only the files were checked
36,000 stars	Lots of people trust it	They trust the marketplace, not this
Approved and merged	A team vetted it	A stranger's code now wears the logo

A trusted marketplace hosting a stranger's skill is only as trustworthy as the stranger. The logo on top is borrowed.

Who You Are Actually Trusting

The thing that actually protects you is boring, and it is a person, not a badge. Trust specific people you have watched and vetted over time, and a real human you trust beats a star count every time.

This is the part nobody is warning you about. The accounts telling you to download this tool and that skill every single day, with zero mention of any of this, are the real exposure. Someone emailed me last week asking about skills, and it was clear he had been grabbing them from anyone with a confident post.

Trust the person - someone whose work you have actually followed over time
Not the brand name - a logo on top tells you nothing about what is underneath
Not the star count - it measures the marketplace's reputation, never the upload's

Build It Yourself When You Can

Something you built, you actually understand, and that is worth more than any time a stranger's skill saves you. When you can, it is safer to build the thing yourself than to grab it from someone you do not really trust.

This is not a random coder problem, it is actively happening in our world. Over the next few months you are going to see all of this everywhere, and some of it will be great while some will be exactly what just happened here.

Notion templates - dropped in front of you with a promise to do the work
AI skills - the exact surface this attack used
Skool freebies - handed out by people you have never actually vetted

A 60-Second Skill Audit

You already have everything you need to check this yourself. Open up whatever AI tools or skills you have installed, go down the list, and run each one through three quick questions.

Do I know who made this? - or did I install it because a post told me to
Does it reach an outside link? - anything that downloads or runs from the web is the one to watch
Did it come from an ad? - if yes, that is your answer

Anything that fails all three is worth pulling out today. It takes a minute and it is the cheapest insurance you will buy this week.

Vet It With Real People

Figuring out what is actually safe to run is hard to do alone, and that is most of why I built The Vibe Stack. It is a free spot where I only share the AI and Notion setups I actually run myself.

Before you install something you are unsure about, you can ask a real person who has used it:

Only vetted setups - the exact AI and Notion tools I run, nothing I have not touched
Ask before you install - a real human to sanity-check the thing you are about to download
Build alongside others - people setting up the same systems, in the open

Come vet your stack with people building right beside you. Start here: The Vibe Stack.

The badge and the star count looked safe. The real payload lived on a page they could change after approval.

What Actually Happened

A company called AIR ran this as a controlled experiment, and the play was clean and simple. They built a fake skill, gave it a trustworthy home, and pointed normal people at it.

Here is the whole thing, start to finish:

They built a fake skill - called "landing page," promising a no-code branded site
They submitted it - to a popular marketplace with 36,000 stars, like any normal contribution
It got approved and merged - so it borrowed the marketplace's whole reputation
They ran one Instagram ad - aimed at marketers, designers, and salespeople, who installed it
Every scanner passed it - including Cisco's and Nvidia's, all marked it completely safe

They say it reached 26,000 agents, some on company accounts too.

The Honest Part

Credit where it is due, this was a test and nothing got stolen. The "malicious" code did one harmless thing: it collected an email address so they could tell people they had been caught.

A couple of things to keep in mind so you read this straight:

The 26,000 number is their claim - and they sell a paid fix, so hold the exact figure loosely
The method is the real story - it is simple, it works, and it needs your attention

What The Scanners Missed

So every trust signal you were trained to look for told you nothing. Here is what each one actually means:

The signal	What you think it means	What it actually means
Green "safe" checkmark	The code was checked	Only the files were checked
36,000 stars	Lots of people trust it	They trust the marketplace, not this
Approved and merged	A team vetted it	A stranger's code now wears the logo

A trusted marketplace hosting a stranger's skill is only as trustworthy as the stranger. The logo on top is borrowed.

Who You Are Actually Trusting

The thing that actually protects you is boring, and it is a person, not a badge. Trust specific people you have watched and vetted over time, and a real human you trust beats a star count every time.

Trust the person - someone whose work you have actually followed over time
Not the brand name - a logo on top tells you nothing about what is underneath
Not the star count - it measures the marketplace's reputation, never the upload's

Build It Yourself When You Can

Notion templates - dropped in front of you with a promise to do the work
AI skills - the exact surface this attack used
Skool freebies - handed out by people you have never actually vetted

A 60-Second Skill Audit

You already have everything you need to check this yourself. Open up whatever AI tools or skills you have installed, go down the list, and run each one through three quick questions.

Do I know who made this? - or did I install it because a post told me to
Does it reach an outside link? - anything that downloads or runs from the web is the one to watch
Did it come from an ad? - if yes, that is your answer

Anything that fails all three is worth pulling out today. It takes a minute and it is the cheapest insurance you will buy this week.

Vet It With Real People

Figuring out what is actually safe to run is hard to do alone, and that is most of why I built The Vibe Stack. It is a free spot where I only share the AI and Notion setups I actually run myself.

Before you install something you are unsure about, you can ask a real person who has used it:

Only vetted setups - the exact AI and Notion tools I run, nothing I have not touched
Ask before you install - a real human to sanity-check the thing you are about to download
Build alongside others - people setting up the same systems, in the open

Come vet your stack with people building right beside you. Start here: The Vibe Stack.

26,000 AI Agents Hijacked: How to Tell If an AI Skill Is Safe

What Actually Happened

The Honest Part

What The Scanners Missed

Who You Are Actually Trusting

Build It Yourself When You Can

A 60-Second Skill Audit

Vet It With Real People

Related Articles

Your AI Is Stuck in a Chat Box (What an MCP Actually Is)

What an AI Agent Actually Is (Plain-English 2026 Guide)

Why You Stopped Using Your Notion Setup

Stay ahead of what's moving in AI.

26,000 AI Agents Hijacked: How to Tell If an AI Skill Is Safe

What Actually Happened

The Honest Part

What The Scanners Missed

Who You Are Actually Trusting

Build It Yourself When You Can

A 60-Second Skill Audit

Vet It With Real People

Related Articles

Your AI Is Stuck in a Chat Box (What an MCP Actually Is)

What an AI Agent Actually Is (Plain-English 2026 Guide)

Why You Stopped Using Your Notion Setup

Stay ahead of what's moving in AI.