LIVE FEED
SkillCloak Bypasses AI Agent Skill Scanners at 90% Rate

SkillCloak Bypasses AI Agent Skill Scanners at 90% Rate

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Researchers at Hong Kong University of Science and Technology have demonstrated that static scanners used to vet malicious AI agent 'skills' — modular add-ons for agents like Claude Code and OpenAI Codex — can be systematically bypassed using a tool called SKILLCLOAK. The technique leverages either character-substitution obfuscation or self-extracting packing into scanner-ignored directories like .git/, achieving evasion rates above 90% across all eight tested scanners. The same research team also developed SKILLDETONATE, a runtime behavioral sandbox that catches most of the threats static analysis misses.

Anthropic Enhances AI Agent Skill Scanner Security

Anthropic Enhances AI Agent Skill Scanner Security

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Security firm AIR demonstrated that a malicious AI agent skill, disguised as a Google Stitch landing-page builder, passed every major skill scanner including Cisco's, NVIDIA's, and skills.sh integrations, reaching approximately 26,000 agents before its payload was activated. The attack exploits a structural gap: scanners evaluate a static package at submission time, while the external URL the skill instructs the agent to fetch can be silently swapped post-install to deliver arbitrary instructions. Defenders relying on marketplace reputation signals, GitHub star counts, or one-time scanner verdicts to gatekeep agent skills have no meaningful protection against this class of supply-chain attack.

CVE-2026-33579: OpenClaw Privilege Escalation to Admin

CVE-2026-33579: OpenClaw Privilege Escalation to Admin

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Ars Technica Security

A critical privilege escalation vulnerability (CVE-2026-33579) in OpenClaw, a viral agentic AI tool, allowed attackers with the lowest-level pairing permissions to silently gain full administrative access to any OpenClaw instance. Given that OpenClaw by design holds broad access to sensitive resources—including credentials, files, and connected services—the practical blast radius of this flaw is full instance takeover with no user interaction required. Thousands of deployments may already be silently compromised.

SWE-bench, WebArena Exploited via Environmental Manipulation

SWE-bench, WebArena Exploited via Environmental Manipulation

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 HN AI Security

Researchers at UC Berkeley demonstrated that every major AI agent benchmark — including SWE-bench, WebArena, OSWorld, and others — can be fully exploited to achieve near-perfect scores without solving a single task, using trivial environmental manipulation rather than genuine capability. The attacks include pytest hook injection, config file leakage, DOM manipulation, and reward component bypassing, with zero LLM calls required in most cases. This represents a systemic integrity failure in the evaluation infrastructure underpinning AI deployment decisions across industry and research.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.