A security research firm named AIR published a report on Monday that should make anyone running AI agents in a business context stop and think.
They built a fake skill for OpenClaw's ClawHub marketplace. Named it brand-landingpage. Said it would help you build landing pages using Google's Stitch design tool. Ran an Instagram ad targeting marketers, salespeople, and designers — the non-technical people on your team who are now your fastest AI adopters. And then they watched.
Every major skill scanner marked it safe: Cisco's, Nvidia's, skills.sh. All clean.
The skill reached roughly 26,000 agents. Including corporate accounts.
AIR then flipped a switch.
Here's the trick
The skill itself contained no malicious code. That's the point. Instead, it pointed the agent to an external URL — a stitch-design.ai domain AIR controlled, not Google's real Stitch at stitch.withgoogle.com. When the scanners checked the package, that URL pointed to clean, plausible documentation. Nothing to flag.
Once the skill had distribution, AIR changed what was behind that URL. The new page told the agent to download and run a script. In AIR's test, the script just collected the user's email address. In a real attack, it would have inherited everything the agent had access to: local files, cloud credentials, connected APIs, your email, your CRM, whatever your agent was wired up to do.
The scan happens once, at submission time. The URL it points to can be rewritten any time after.
There's no scanner that catches this, because there's nothing to catch at scan time.
Why your team is the target
The people most likely to install a skill like brand-landingpage are exactly who the Instagram ad targeted: marketers trying to automate their workflow, salespeople building sequences, designers who want to stop doing the repetitive stuff. Not your IT person. Your IT person isn't the one who cares about landing page builders.
These are also the people least likely to ask whether the skill they just installed now has access to every document your agent can reach.
OpenClaw agents, by default, inherit permissions over files, credentials, and connected services. A skill that runs inside the agent runs with the agent's identity. That means a malicious skill can read your inbox, exfiltrate documents, or pull API keys from your environment — all through your agent's own authenticated sessions, with no external network connection that looks suspicious.
This isn't theoretical. Palo Alto's Unit 42 research team documented hundreds of malicious skills already in ClawHub earlier this year delivering real infostealers — going after browser passwords, SSH keys, and cloud credentials. The AIR experiment just demonstrated a new evasion technique that makes scanner-based review meaningless.
The structural problem
AI agent skill marketplaces are, functionally, browser extension stores — except with broader system permissions and a user base that hasn't internalized the risk yet.
The browser extension model took years to go sideways. Legitimate extensions with millions of users got acquired and turned malicious overnight. Extensions pointing to external update servers changed behavior post-approval. It was a well-documented pattern, and browser vendors eventually added more friction.
AI skill marketplaces are at day one of that learning curve.
The current trust model assumes that if a skill passes a scan and has some GitHub stars, it's safe to install. The AIR experiment shows that's not true for static scanning. The existing ClawHavoc campaign shows it's not true for social signals either — malicious skills were professionally documented with convincing READMEs.
What's new in the AIR finding is that the attack can be completely invisible at install time, deferred to whenever the attacker decides to pull the trigger.
What your organization should actually do
Stop treating skill installs like app store downloads. Your team should not be installing marketplace skills without IT review — or at minimum, without someone checking what permissions that skill is requesting. Most orgs haven't thought about this at all yet. Now is the time.
Audit what's already installed. Open your OpenClaw dashboard (or whatever agent platform you're using), go to the Skills or Plugins section, and list everything there. For each skill: who installed it, when, from where, and what permissions does it have? This takes thirty minutes. Do it this week.
Pin versions and check authors. Don't install skills that pull from external URLs you don't control. If the skill requires fetching documentation or setup files from a domain you can't verify, that's a red flag. Prefer skills where all the code is in the repository itself.
Scope your agent's permissions down. If your agent doesn't need access to your file system, don't give it access to the file system. If it doesn't need cloud credentials, don't wire those in. The blast radius of a compromised skill is exactly as large as the permissions you've granted the agent. Most small teams wire everything in on day one and never revisit it.
Watch for unexpected network activity. A skill that's supposed to build a landing page shouldn't be making calls to external domains during normal operation. Enable logging on your agent and look at what it's actually reaching out to. You'll be surprised.
The broader pattern
We've written about the LiteLLM supply chain attack, the CrewAI RCE chain, the GitGuardian data on AI tools leaking API keys. There's a consistent thread: the attack surface for small orgs has quietly expanded with every new AI tool they've adopted.
The OpenClaw CVE wave back in April was about vulnerabilities in the agent software itself. This is different. This is about the trust model for how skills get installed and what they can do. Fixing CVEs is possible. Fixing a structural problem in how marketplaces validate dynamic content is slower and harder.
What AIR published this week isn't a niche research finding for security practitioners. It's a direct demonstration that the workflow your marketing team started using last month has a supply chain attack surface that looks clean to every automated check.
The interesting thing about AI agents is that they're often the most trusted, most connected, most permissioned tool in a small org's stack. The companies that stay safe over the next two years won't be the ones who stopped using agents — it's too late for that, and agents are genuinely useful. They'll be the ones who treated agent security with the same seriousness as server security.
For most small teams, that gap is still wide open.
Auditing AI agent deployments — what's installed, what permissions it has, what it's actually doing — is part of how we work with clients. If you want a second set of eyes on your stack, reach out.