Overview
Researchers at the Hong Kong University of Science and Technology have published findings showing that static scanners — the primary defensive layer for AI agent skill marketplaces — are systematically bypassable. Their tool, SKILLCLOAK, can rewrite malicious skills to evade detection while preserving full attack functionality. Tested against eight scanners and 1,613 real malicious skills sourced from ClawHub (a public skill marketplace), the heavier packing variant exceeded 90% evasion across every scanner, and surpassed 99% on most. This is not an isolated edge case — it is a reproducible, scalable attack pipeline.
AI agent skills are small packages — typically a Markdown instruction file plus scripts — that extend the capabilities of agents like Claude Code, OpenAI Codex, and OpenClaw. Crucially, skills execute with the agent’s inherited permissions: filesystem access, terminal privileges, and stored credentials. A malicious skill can exfiltrate source code, steal passwords, or plant persistent backdoors.
Technical Analysis
SKILLCLOAK operates via two distinct evasion mechanisms:
1. Lightweight Obfuscation This method targets the specific byte patterns that scanners use as detection signatures. Techniques include:
- Substituting flagged characters with Unicode homoglyphs from alternate alphabets
- Splitting flagged shell commands across newlines to break pattern matching
- Result: 80–96% evasion depending on the scanner
2. Self-Extracting Packing
The entire malicious payload is relocated into a directory that scanners routinely skip — most notably .git/ — to reduce false positives and processing overhead. A benign-looking decoder stub is left in the visible skill directory. When the agent executes the skill, the decoder reconstructs and runs the payload from the hidden directory.
skill/
├── README.md ← clean, passes scanner
├── setup.sh ← benign decoder stub
└── .git/
└── payload.sh ← actual malicious payload (scanner never reaches this)
The cloaked skills were confirmed to execute with identical effectiveness to the originals on both Claude Code and OpenAI Codex, meaning obfuscation introduces zero functional degradation for the attacker.
The researchers’ defensive counterpart, SKILLDETONATE, addresses the root cause of static analysis failure by shifting to runtime behavioral inspection. Running skills in an OS-level sandbox, it monitors file reads/writes, network egress, and sensitive data flows — tracking where data travels rather than what it looks like at rest.
Framework Mapping
- AML.T0010 (ML Supply Chain Compromise): Malicious skills are injected into public marketplaces with minimal vetting, directly compromising the agent’s operational environment.
- AML.T0015 (Evade ML Model): SKILLCLOAK’s obfuscation and packing techniques are purpose-built to defeat ML-based and signature-based scanners.
- LLM05 (Supply Chain Vulnerabilities): The skill marketplace ecosystem lacks integrity verification and sandboxed pre-installation analysis.
- LLM07 (Insecure Plugin Design): Skills inherit full agent permissions with no capability scoping or least-privilege enforcement.
- LLM08 (Excessive Agency): Agents execute skills with broad system access, amplifying the blast radius of any malicious skill.
Impact Assessment
The immediate risk is to individual developers using AI coding agents with marketplace-sourced skills. However, in enterprise environments where agents operate on shared infrastructure or CI/CD pipelines, a single malicious skill could result in broad credential compromise or intellectual property theft. The scale of exposure is compounded by cross-agent skill portability — one malicious skill package can target multiple agent platforms simultaneously.
Mitigation & Recommendations
- Do not rely on static scanners alone. This research confirms they are insufficient. Prioritise runtime behavioral analysis tools equivalent to SKILLDETONATE.
- Restrict skill installation sources. Implement allowlists for approved skill repositories; block installation from unvetted public marketplaces.
- Treat hidden directories as untrusted. Agent runtimes should flag or refuse execution of code originating from
.git/or similar scanner-blind paths. - Apply least-privilege to agent skill execution. Skills should not inherit full agent permissions; scope filesystem and network access per-skill.
- Audit existing installed skills for indicators of packing or homoglyph substitution in script files.
References
- The Hacker News — SkillCloak Article
- Original paper: Cloak and Detonate — Hong Kong University of Science and Technology (2026)