Supply-chain skill swap evaded all scanners, reached 26k AI agents via external link rewrite

The attack submitted a minimal SKILL.md that instructed agents to fetch Stitch SDK instructions from an attacker-controlled domain. Scanners reviewed only the initial package and saw a clean external reference to plausible documentation. After marketplace inclusion via merged PR into a 36k-star repo and Instagram targeting, the domain was updated to serve executable instructions, bypassing the one-time scan model.

Evidence from the campaign shows scanners operate on static files alone. Trail of Bits previously demonstrated the same gap against ClawHub and skills.sh detectors three weeks prior. Anthropic documentation already flags external URL fetches as mutable post-vetting. Separate scanner-comparison research this year confirmed disagreement rates because none inspect live external state or change logs.

Operational pattern is structural: skills inherit user-level authority while review occurs once at submission. Real operators can now stage data exfiltration or lateral movement bounded only by agent reach. No CVE or exploit signature exists because the vector is policy and fetch timing, not code in the submitted bundle.

Defenders must pin versions, re-verify external targets on every execution, and enforce least-privilege agent sandboxes. Marketplaces require continuous monitoring of linked domains rather than point-in-time approval.