Researchers at Israeli security firm Air Security published a proof-of-concept showing how an apparently harmless AI agent skill can be weaponized after the fact. They published a “clean” skill, let it build a track record of legitimate use and trust, then performed a classic “rug pull” — quietly swapping its behavior to malicious — and used it to gain control over 26,000 agents that had installed it.
The technique highlights a structural gap in how agent skills are currently trusted: approval and reputation are typically evaluated once, at install time, with no guarantee the skill’s behavior stays the same afterward.
Why it matters: Treat agent skills exactly like any third-party dependency: pin them to a hash and version, block them from pulling additional instructions from external domains, restrict tool/file permissions to the minimum needed, and monitor their behavior continuously after install.