Security researchers at AIR demonstrated that AI agent skill marketplaces from multiple vendors, including Cisco and NVIDIA, are structurally vulnerable to post-scan payload substitution: a skill passes scanning clean, then swaps in a malicious payload at runtime by rewriting an external URL after approval. A test skill reached approximately 26,000 agents including corporate deployments. Trail of Bits independently corroborated the structural weakness. This is a design flaw in the one-time-scan model, not a patchable CVE.