LIVE FEED
HIGH SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate // HIGH Amazon Q VS Code Extension Flaw Enables Cloud Credential Theft via MCP // FIRST LOOK First Look: Chinese AI Firms Launch LLMs Rivalling US Frontier Models in Capability // CRITICAL LLM Agents Weaponised to Deliver Ransomware via Langflow Platform // HIGH Poisoned MCP Tool Descriptions Enable Silent Data Exfiltration via AI Agents // HIGH Fake Bug Reports Weaponised to Hijack AI Coding Agents at Scale // CRITICAL Zero-Click Prompt Injection Flaws in Cursor IDE Enable OS-Level Code Execution // FIRST LOOK First Look: Current AI Launches Open Source AI Gap Map Indexing 421 Projects // HIGH DeepSeek Turns LLM Hallucination Into Working Browser-Only Ransomware Technique // CRITICAL Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.5

SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate

TL;DR HIGH
  • What happened: SKILLCLOAK systematically evades all tested AI agent skill scanners with over 90% success using packing techniques.
  • Who's at risk: Developers and organisations using AI coding agents (Claude Code, OpenAI Codex) that install skills from public marketplaces are directly exposed to credential theft, code exfiltration, and backdoor installation.
  • Act now: Audit all installed AI agent skills and remove any sourced from unvetted public marketplaces · Deploy runtime behavioral monitoring (sandbox-based) rather than relying solely on static skill scanners · Apply strict allowlisting for skill directories and flag or block execution from paths like .git/ at the agent runtime level
SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate

Overview

Researchers at the Hong Kong University of Science and Technology have published findings showing that static scanners — the primary defensive layer for AI agent skill marketplaces — are systematically bypassable. Their tool, SKILLCLOAK, can rewrite malicious skills to evade detection while preserving full attack functionality. Tested against eight scanners and 1,613 real malicious skills sourced from ClawHub (a public skill marketplace), the heavier packing variant exceeded 90% evasion across every scanner, and surpassed 99% on most. This is not an isolated edge case — it is a reproducible, scalable attack pipeline.

AI agent skills are small packages — typically a Markdown instruction file plus scripts — that extend the capabilities of agents like Claude Code, OpenAI Codex, and OpenClaw. Crucially, skills execute with the agent’s inherited permissions: filesystem access, terminal privileges, and stored credentials. A malicious skill can exfiltrate source code, steal passwords, or plant persistent backdoors.

Technical Analysis

SKILLCLOAK operates via two distinct evasion mechanisms:

1. Lightweight Obfuscation This method targets the specific byte patterns that scanners use as detection signatures. Techniques include:

  • Substituting flagged characters with Unicode homoglyphs from alternate alphabets
  • Splitting flagged shell commands across newlines to break pattern matching
  • Result: 80–96% evasion depending on the scanner

2. Self-Extracting Packing The entire malicious payload is relocated into a directory that scanners routinely skip — most notably .git/ — to reduce false positives and processing overhead. A benign-looking decoder stub is left in the visible skill directory. When the agent executes the skill, the decoder reconstructs and runs the payload from the hidden directory.

skill/
├── README.md          ← clean, passes scanner
├── setup.sh           ← benign decoder stub
└── .git/
    └── payload.sh     ← actual malicious payload (scanner never reaches this)

The cloaked skills were confirmed to execute with identical effectiveness to the originals on both Claude Code and OpenAI Codex, meaning obfuscation introduces zero functional degradation for the attacker.

The researchers’ defensive counterpart, SKILLDETONATE, addresses the root cause of static analysis failure by shifting to runtime behavioral inspection. Running skills in an OS-level sandbox, it monitors file reads/writes, network egress, and sensitive data flows — tracking where data travels rather than what it looks like at rest.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): Malicious skills are injected into public marketplaces with minimal vetting, directly compromising the agent’s operational environment.
  • AML.T0015 (Evade ML Model): SKILLCLOAK’s obfuscation and packing techniques are purpose-built to defeat ML-based and signature-based scanners.
  • LLM05 (Supply Chain Vulnerabilities): The skill marketplace ecosystem lacks integrity verification and sandboxed pre-installation analysis.
  • LLM07 (Insecure Plugin Design): Skills inherit full agent permissions with no capability scoping or least-privilege enforcement.
  • LLM08 (Excessive Agency): Agents execute skills with broad system access, amplifying the blast radius of any malicious skill.

Impact Assessment

The immediate risk is to individual developers using AI coding agents with marketplace-sourced skills. However, in enterprise environments where agents operate on shared infrastructure or CI/CD pipelines, a single malicious skill could result in broad credential compromise or intellectual property theft. The scale of exposure is compounded by cross-agent skill portability — one malicious skill package can target multiple agent platforms simultaneously.

Mitigation & Recommendations

  1. Do not rely on static scanners alone. This research confirms they are insufficient. Prioritise runtime behavioral analysis tools equivalent to SKILLDETONATE.
  2. Restrict skill installation sources. Implement allowlists for approved skill repositories; block installation from unvetted public marketplaces.
  3. Treat hidden directories as untrusted. Agent runtimes should flag or refuse execution of code originating from .git/ or similar scanner-blind paths.
  4. Apply least-privilege to agent skill execution. Skills should not inherit full agent permissions; scope filesystem and network access per-skill.
  5. Audit existing installed skills for indicators of packing or homoglyph substitution in script files.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.