Security

SkillCloak Bypasses AI Agent Scanners with 90%+ Success Rate

Researchers demonstrate how malicious add-ons for AI coding assistants evade static detection, and propose runtime monitoring as the solution.

Omega Editorial· July 6, 2026· 3 min read

Malicious AI agent skills slip past static defenses

Researchers at Hong Kong University of Science and Technology have demonstrated that security scanners designed to catch malicious add-on "skills" for AI coding agents can be defeated with straightforward evasion techniques. Their most effective method bypassed every tested scanner more than 90% of the time.

Skills are small packages—typically a Markdown instruction file plus supporting scripts—that agents like Claude Code, OpenAI Codex, and OpenClaw load to gain new capabilities. Because skills execute with the agent's full permissions, a malicious one can steal credentials, exfiltrate source code, or install backdoors. Most public marketplace listings come from unvetted contributors.

The research team built a tool called SkillCloak that rewrites malicious skills to appear benign while preserving their harmful behavior. The lighter approach swaps flagged characters for look-alikes from different alphabets or splits commands across line breaks, breaking pattern matches without changing functionality. The heavier technique, self-extracting packing, hides the entire payload in directories scanners typically skip—like .git/—behind a harmless-looking decoder that reconstructs the skill only at runtime.

Testing against eight scanners and 1,613 real malicious skills from ClawHub marketplace, the packing method evaded each scanner more than 90% of the time, with most exceeding 99% evasion rates. The lighter rewriting cleared more than 80% on most scanners. Crucially, the disguised skills worked just as effectively as the originals when executed.

Runtime monitoring catches what static scans miss

Because appearance can be manipulated, the researchers propose behavior-based detection through their SkillDetonate tool. It runs skills in a sandbox and monitors operating-system-level actions: file access, write operations, and data transmission destinations.

The system tracks sensitive data by flow rather than appearance, defeating base64 encoding or encryption obfuscation. It also executes instructions that skills build only at runtime—precisely where packing techniques hide their payloads.

In controlled testing, the checker caught 97% of attacks while producing just 2% false positives, maintaining effectiveness even against cloaked skills. On real-world malicious skills, it achieved 87% detection. By contrast, Cisco's scanner—the strongest tested—dropped from 99% detection before cloaking to roughly 10% after.

The tradeoff is speed: a couple of minutes per skill versus seconds for static scanning, though this runs once before a skill goes live.

Why it matters

This isn't theoretical. Bitdefender found approximately 17% of skills on one marketplace contained hidden malicious code. Koi Security identified 341 malicious skills in a campaign called ClawHavoc, later growing to 824. Unit 42 discovered five evasive skills still live on ClawHub despite built-in scanning, including one that padded its README with 22 MB of junk to exceed the scanner's size limit—exactly the technique the research tests.

The fundamental problem is timing: scanners judge skills at submission, but malicious behavior emerges only at execution, after approval. A recent incident saw a clean GitHub repository lead Claude Code to open a reverse shell on a developer's machine—the malicious code was fetched at runtime from a DNS record, leaving nothing for static scans to detect.

For teams deploying AI coding agents, a "passed the scan" badge should be a starting point, not a guarantee. Practical defenses include monitoring runtime behavior—files touched, commands executed, data destinations—and watching for red flags like large or high-entropy files in typically-skipped directories, code that unpacks only at runtime, or files padded beyond reasonable size.

The research remains a preprint and hasn't undergone peer review, though the team has released their code. The work was first reported by The Hacker News, which notes the specific performance figures deserve the usual caution owed to early-stage research from a single group.

#ai security#malware evasion#ai agents#runtime detection#coding assistants#threat research

This is an original analysis by the Omega editorial team. Source reporting: AI Watch.

Want systems like this working for your business?

Book a Call

More in Security

Security· 3 min read

AI Poisoning: How Competitors Can Sabotage Your Brand in LLMs

Marketers face a new threat as rivals exploit AI search systems by planting misinformation across forums and review sites.

Via AI Watch · Jul 6, 2026
Security· 3 min read

Startup Sues Cybersecurity Firm Over AI Misidentification

MeetingTV alleges Koi Security's AI system wrongly flagged it as part of Chinese espionage network, triggering global service blocks.

Via AI Watch · Jul 5, 2026
Security· 3 min read

Meta Hired Contractors to Pose as Teens, Probe Rival AI Models

A secretive program sent nearly 50,000 disturbing prompts to ChatGPT, Gemini, and Character.AI without the companies' knowledge.

Via AI Watch · Jul 4, 2026