Skip to main content
CybersecurityHacking

Malicious AI Skills Evade Scanners With Self-Extracting Packing

Researcher works on laptop in lab while computer screen displays obscured code.

The paper's strongest trick "got past each of the eight [scanners] more than 90% of the time," the researchers report — a stark metric that puts a familiar assumption under pressure: that static review of an AI agent "skill" is a reliable gatekeeper.

SKILLCLOAK: look‑alike bytes and self‑extracting packing

Researchers at the Hong Kong University of Science and Technology built a tool, SKILLCLOAK, that systematically disguises malicious skills so they appear benign to static scanners while running identically at execution. SKILLCLOAK uses two main techniques. The lighter method rewrites obvious byte patterns that scanners key on — for example, swapping a character for a visually similar letter from another alphabet or splitting a flagged command across a newline so the scanner's pattern no longer matches but the agent still executes the command.

The heavier technique — "self‑extracting packing" — moves the entire malicious payload into directories scanners commonly skip, such as .git/ or build/, and places a harmless decoder in plain view that reconstructs the skill only at runtime. Scanners skip such directories to save time and cut false alarms; the researchers demonstrate that skipping becomes a blind spot when attackers exploit it.

Static scanners versus SKILLDETONATE, a runtime checker

Static scanners examine a skill's files before installation. The paper tested eight scanners against 1,613 real malicious skills pulled from the ClawHub marketplace. The packing trick bypassed every one of the eight scanners more than 90% of the time and passed most of them more than 99% of the time; the lighter rewriting method cleared more than 80% on most scanners and 96% on one.

To counter disguises that change appearance but not behavior, the authors propose SKILLDETONATE: a runtime checker that runs a skill inside a sandbox and watches operating‑system‑level behavior — what files a skill reads and writes, and where it sends data. Two features make SKILLDETONATE practical for agent skills: it tracks sensitive data by flow rather than by appearance (so base64 or encryption doesn't blind it), and it executes the code the skill assembles at runtime, which is where packed payloads reveal themselves.

In a controlled test SKILLDETONATE detected 97% of attacks while falsely flagging 2% of safe skills; on the same set of real‑world malicious skills it caught 87%. By contrast, Cisco's scanner detected 99% of the real‑world skills before cloaking and roughly 10% after. The trade‑off is speed: SKILLDETONATE takes a couple of minutes per skill versus a scanner's few seconds, although it would run once before a skill goes live. The work is a preprint that has not yet been peer‑reviewed, and the researchers have released their code.

Marketplace evidence: ClawHub, ClawHavoc, Unit 42, Bitdefender, and Mozilla

These techniques are not merely theoretical. Public marketplaces already host malicious skills that static scanners miss. Bitdefender found roughly 17% of the skills it checked on one marketplace contained hidden malicious code. Koi Security reported 341 malicious skills in a campaign it called ClawHavoc, later rising to 824 as the marketplace grew. Unit 42 found five evasive skills still live on ClawHub despite built‑in scanning; one, omnicogg, padded its README with 22 MB of junk to slip under a scanner's size cap — the same size‑padding operator SKILLCLOAK tests. Of Unit 42's five, two delivered macOS password‑stealers and two hijacked an agent's financial advice to push affiliate links and rig meme‑coin launches.

The runtime gap shows up outside marketplaces too. A clean‑looking GitHub repository led Claude Code to open a reverse shell on the developer's own machine because the setup script fetched malicious code at runtime from a DNS record; the malicious payload was never present in the repo and a static scan had nothing to catch. Mozilla's 0DIN team traced that chain.

Signals defenders can hunt for

  • Large or high‑entropy files tucked into directories scanners tend to skip, such as .git/ or build/.
  • Skills that unpack or assemble code only when they run, rather than shipping code in plain sight.
  • Files padded well past a sensible size, used to slip under scanner size caps.

None of these is definitive on its own; the paper frames them as cheap flags rather than verdicts. The authors also offer concrete mitigations available to marketplaces: hash a skill at scan time and re‑check before each run to detect later unpacking, flag skills that ship opaque blobs in ignored folders, and treat a "passed the scan" badge as a starting point rather than a guarantee. The durable defense, they argue, is watching behavior at runtime.

What this means for technologists, marketplaces, and enterprises

  • Technologists and security teams: Expect static hygiene to remain useful but insufficient; runtime monitoring that tracks data flows and filesystem activity will catch many cloaked attacks.
  • Marketplaces and vendors: Relying solely on fast static scans leaves a blind spot — consider runtime checks before a skill goes live and add heuristics that flag ignored directories and oversized files.
  • Enterprises and end users running coding agents: Treat a "passed scan" as a provisional step, run agents with least privilege, and avoid executing skills on machines that hold the secrets you cannot afford to lose.

The central lesson is clear and concrete: when a repository or package can look clean yet build its malicious behavior only at runtime, the trust decision must move from the marketplace gate to the execution environment. The paper's figures come from a single research team and await peer review, but the combination of marketplace finds and lab results makes an operational recommendation hard to ignore — watch what skills do, not only how they look.

https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html