Abstract illustration of an AI agent skill inside a containment shell, security scanners in the background, deep navy and teal palette, no human figures, no readable text

SkillCloak shows AI agent skills can hide malware from every scanner

AIntelligenceHub
··5 min read

An HKUST team tested 1,613 malicious skills from ClawHub against eight scanners. The packing trick got past every scanner more than 90% of the time.

Researchers at the Hong Kong University of Science and Technology tested 1,613 malicious skills pulled from ClawHub against eight common scanners and watched each one miss more than 90 percent of the attacks. The SkillCloak packing trick hides a skill's payload in a folder the scanner skips and unpacks it only when the agent runs, and it lands the same week Bitdefender said 17 percent of skills on a separate marketplace carried hidden malware.

Why static scanning breaks for agent skills

The paper, titled Cloak and Detonate, makes a simple point: a skill is judged by what it looks like at submission, and the malicious behavior only shows up after the agent runs the skill. A scanner is the wrong tool for that problem. Skills are small bundles, usually a Markdown instruction file plus a few scripts, that agents like Claude Code, OpenAI Codex, and OpenClaw load to pick up a new capability. They run with the agent's own access, which means the user's files, the user's terminal, and any saved passwords are all reachable from inside the skill. The defense that the marketplace gate uses today, a static scanner, reads the files before install and blocks anything that looks dangerous. SkillCloak shows the gate is open.

The runtime gap shows up outside skill marketplaces too. A clean-looking GitHub repository recently led Claude Code to open a reverse shell on the developer's own machine, handing the attacker remote control, as covered in this prior AIntelligenceHub analysis of the same attack pattern. The malicious code was never in the repo. The setup script fetched it at runtime from a DNS record, so a static scan had nothing to catch. Mozilla's 0DIN team traced the chain. A related failure hits the tool descriptions that agents read through the Model Context Protocol, where Microsoft warned that a poisoned description, changed after the tool was approved, quietly pushed a finance agent into leaking unpaid invoices. The same gap is showing up in the enterprise AI governance checklist as a near-universal blind spot for teams shipping agent deployments.

The two tricks in the SkillCloak paper

The first trick is light. The malware rewrites the give-away bytes a scanner keys on, using the paper's own operators, such as swapping a character for a look-alike from another alphabet or splitting a flagged command across a newline. The scanner's pattern no longer matches, but the command still runs. Across the eight scanners, the lighter rewriting cleared more than 80 percent of detections on most scanners and 96 percent on one. The disguise costs the attacker almost nothing: on Claude Code and OpenAI Codex, the cloaked skills worked just as well as the originals.

The second trick is the one that earns the name SkillCloak. Self-extracting packing moves the whole payload into a directory the scanner skips, such as `.git/`, behind a harmless-looking decoder that rebuilds the skill only when the agent runs it. Scanners skip these directories to save time and cut false alarms, which is exactly the blind spot the trick exploits. Across the same eight scanners, the packing trick got past each of them more than 90 percent of the time, and past most of them more than 99 percent. The numbers are not subtle. The defense is not working.

Since appearance can be faked, the researchers propose checking behavior instead, in a tool they call SKILLDETONATE. It runs the skill in a sandbox and watches what it does at the operating-system level, including what it reads, what it writes, and where it sends data. Two ideas make it work for agents. It tracks sensitive data by where it flows rather than what it looks like, so base64 or encryption does not throw it off. And it runs the instructions a skill builds only at runtime, which is exactly where the packing trick hides its payload. In a controlled test, SKILLDETONATE caught 97 percent of attacks while wrongly flagging 2 percent of safe skills, a lower false-alarm rate than the scanners it beats, and it held steady when the skills were cloaked. On real-world malicious skills, the checker caught 87 percent. The catch is speed, a couple of minutes per skill against a scanner's few seconds, though the runtime check runs once before a skill goes live, not on every run. The work is a preprint and has not yet been peer-reviewed, and the researchers have released their code so the marketplace scanners can integrate it.

The real-world pattern across ClawHub and ClawHavoc

The real-world pressure is already on. Bitdefender found that roughly 17 percent of the skills it checked on one marketplace carried hidden malicious code, and Koi Security counted 341 in a single campaign it called ClawHavoc, as The Hacker News reported, later 824 as the marketplace grew. Some use the paper's exact tricks. Of five evasive skills Unit 42 found still live on ClawHub despite its built-in scanning, one called omnicogg padded its README with 22 MB of junk to slip past the scanner's size cap, which is the same size-padding operator the paper tests. Two more delivered Mac password-stealers, and two hijacked the agent's financial advice to push affiliate links and rig mem-coin trades. The same week Microsoft published the MCP tool-description warning, and the same day the HKUST team put their paper up. The pattern is converging on a single lesson, which is that static scanning at the marketplace gate is not a defense against runtime attacks.

For teams using coding agents, that makes a passed the scan badge a starting point, not a guarantee. Keep static scanning as cheap hygiene, but watch what a skill does when it runs, including the files it touches, the commands it runs, and where it sends data. The paper offers concrete stopgaps too, such as hashing a skill when it is scanned and re-checking before each run to catch payloads that unpack later, flagging skills that ship opaque blobs in ignored folders, and padding files past a size cap. None of those close the gap on their own, and that is the point. The durable defense is watching behavior at runtime, not a scanner that judges appearance at the gate. The trust decision has to move from the marketplace gate to the machine where the skill executes, and a 90 percent miss rate is not a tuning problem. It is a design problem, and the design has to start from the assumption that what passed review is not what runs.

Weekly newsletter

Get a weekly summary of our most popular articles

Every week we send one email with a summary of the most popular articles on AIntelligenceHub so you can stay up-to-date on the latest AI trends and topics.

One weekly email. No sponsored sends. Unsubscribe when you want.

Comments

Every comment is reviewed before it appears on the site.

Comments stay pending until review. Posts with more than two links are held back.

Related articles