Cyber Security

SkillCloak Lets Malicious AI Agent Skills Avoid Static Scanners By Stacking Them

Scanners designed to capture the additional malicious “skills” of AI coding agents can be fooled by a few simple changes that leave the malware running, according to new research from researchers at the Hong Kong University of Science and Technology.

Their strongest strategy skipped every scanner tested more than 90% of the time, and the same team developed a runtime scanner that catches most of the hidden capabilities that scanners miss.

Capabilities are small packages, usually a Markdown command file and a few scripts, that agents like Claude Code, OpenAI Codex, and OpenClaw upload to take on new capabilities. Because the capability is just a bunch of files, the same one can run on different agents. And it works with the agent’s own access: your files, your terminal, your saved passwords.

A bad guy can steal information, copy source code, or install a backdoor. Most listings on the public market are uploaded by strangers with little vetting.

The main defense so far has been a skill scanner, which reads skill files before installing them and blocks anything that looks dangerous. The paper, titled “Dress and Detonate,” checks to see if that’s really stopped. It’s not. Hitting scanners isn’t new, though.

Hacker News put researchers who pushed the fake skill through every scanner we faced, which by the company’s own count reached tens of thousands of agents. What this paper adds is a way to do it in an organized, scaled, and defensive way that still works if it happens.

How the hidden abilities pass

A tool for researchers, SKILLCLOAKrewrites a brutal skill to look cleaner while behaving exactly the same. It works in two ways.

A simple one rewrites the kupa-away bytes of the scan keys, using the paper operators: swap a character to look at another alphabet, or break a flagged command on a new line, so that the scan pattern is no longer the same but the command continues.

The heaviest, self-extracting packaging, moves all payloads to a directory that the scanner skips, such as .git/, behind a seemingly innocuous decoder that only rebuilds the skill when the agent runs it. Scanners skip those scripts to save time and cut out false alarms, which is a strategic blind spot.

In all eight scans and 1,613 malicious skills released on ClawHub, a public marketplace, the packaging strategy passed each of the eight more than 90% of the time, and most of them passed more than 99%.

A simple rewrite cleared over 80% on multiple scans and 96% on one. And cloaking costs the attacker almost nothing: in the Claude Code and the OpenAI Codex, the cloaked skills worked as well as the original.

Looking at what the skill does, not what it looks like

Since looks can be deceiving, researchers propose to test behavior instead, in a tool they call SKILLDETONATE. It uses the ability in the sandbox and looks at what it does at the operating system level: what it reads, what it writes, where it sends data.

Two ideas activate the agents. It tracks sensitive data where it flows rather than what it looks like, so base64 or encryption doesn’t throw it away. And it uses instructions that the skill builds only at runtime, which is where the packaging trick hides its payoff.

In a controlled trial, the tester caught 97% of attacks while falsely flagging 2% of safe skills, a lower false alarm rate than self-paced scanners, and no catch when skills are covered. In brutal real-world skills, it holds 87%.

The Cisco scanner, which has been extensively tested, went the other way: it captured 99% of real-world capabilities before wear and 10% after.

To catch the speed, a few minutes per skill compared to a few seconds of the scanner, or runs once, before the skill goes live. The work is a pre-print and has not yet been peer-reviewed; the researchers released their code.

It’s already happening in the wild

None of this is considered. Public markets are already full of malicious skills that scanners don’t stop: Bitdefender found about 17% of the skills it tested in one marketplace carried hidden malicious code, while Koi Security counted 341 in one campaign it called ClawHavoc, as THN reported, later 824 as the market grew.

Some use real paper tricks. Of the five Unit 42 evasion skills found to be still live on ClawHub despite its built-in scanning, one, omnicogg, padded its README with 22 MB of junk to slip past the scanner’s size, which uses the same size to check papers. Two others delivered Mac passwords, and two hijacked an agent’s financial advice to push affiliate links and rig meme-coin launches.

The working time gap reflects foreign talent markets, too. A clean-looking GitHub repository recently led Claude Code to open a reverse shell on a developer’s machine, giving the attacker remote control. The malicious code was never in the repo; the setup script fetched it at runtime from the DNS record, so the static scan had nothing to catch. Mozilla’s 0DIN team tracked down the series.

Related failures hit tool definitions that agents read through the Model Context Protocol. Microsoft warned that the toxic definition, which changed after the tool was approved, pushed the financial agent to quietly leak unpaid invoices. The methodology is different, but the broken assumption is the same: that what has passed the revision is what works.

A few limitations are worth mentioning clearly. No one is catching attackers using these exact stacking tactics at scale; real world situations here to escape to the side, not SKILLCLOAK itself. The runtime tester is a research prototype, robust in the lab but not tested in a live marketplace or under an attacker trying to avoid it. And every number of works are by the authors themselves, from a paper that has not been peer-reviewed. The guidance has good evidence; certain statistics deserve the general caution owed to the early work of one group.

That’s the real lesson, and that’s where the growing line of work comes together. The scanner judges a skill by how it looks when it is moved, but malicious behavior only shows up once the skill has started, after it has passed the scan. So the decision to trust should move from the market gate to the machine where the skill does it.

What should you hunt for? A paper slip leaves traces that a defender can look for, even with a successful scanning skill:

  • Files that are large or have high entropy are included in the directory the scanner usually skips, such as .git/ or build/.
  • Capabilities only unpack or compile code when it runs, rather than sending it explicitly.
  • Files are too thick to exceed a reasonable size, a trick that bypasses the capability under the scanner’s size cap.

None of this is evidence in itself. First flags are cheap, not a decision.

For teams using coding agents, that makes the “pass scan” badge a starting point, not a guarantee. Keep constant scanning as a cheap cleanup, but look at what the skill does when it runs: the files it touches, the commands it runs, and where it sends the data.

The paper offers concrete spaces as well, such as the ability to speed up when it is scanned and rechecked before each capture to capture payloads that are released later, and flagging capabilities that send opaque blobs to ignored folders or pad files that exceed the cap size. None of them close the gap on their own, which is the point: a strong defense is to observe behavior during operation.

Otherwise, only install from a vetted source, give agents the least access they need, and don’t use them on machines that store secrets that should be stolen.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button