Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology.

Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the disguised skills the scanners miss.

Skills are small packages, usually a Markdown instruction file plus a few scripts, that agents such as Claude Code, OpenAI Codex, and OpenClaw load to pick up a new capability. Because a skill is just a bundle of files, the same one can run across different agents. And it runs with the agent's own access: your files, your terminal, your saved passwords.

A bad one can steal credentials, copy source code, or install a backdoor. Most of what a public marketplace lists is uploaded by strangers with little vetting.

The main defense so far has been the skill scanner, which reads a skill's files before you install it and blocks anything that looks dangerous. The paper, titled "Cloak and Detonate," tests whether that actually holds up. It does not. Beating scanners isn't new, though.

The Hacker News has covered researchers pushing a fake skill past every scanner it faced, which by the firm's own count reached tens of thousands of agents. What this paper adds is a way to do it systematically, at scale, and a defense that still works when it does.

How the disguised skills get through

The researchers' tool, SKILLCLOAK, rewrites a malicious skill to look clean while behaving exactly the same. It works two ways.

The lighter one rewrites the give-away bytes a scanner keys on, using the paper's own operators: swap a character for a look-alike from another alphabet, or split a flagged command across a newline, so the scanner's pattern no longer matches but the command still runs.

The heavier one, self-extracting packing, moves the whole payload into a directory the scanner skips, like .git/, behind a harmless-looking decoder that rebuilds the skill only when the agent runs it. Scanners skip such directories to save time and cut false alarms, which is exactly the blind spot the trick exploits.

Across eight scanners and 1,613 real malicious skills pulled from ClawHub, a public marketplace, the packing trick got past each of the eight more than 90% of the time, and past most of them more than 99%.

The lighter rewriting cleared more than 80% on most scanners and 96% on one. And the disguise costs the attacker almost nothing: on Claude Code and OpenAI Codex, the cloaked skills worked just as well as the originals.

Watching what a skill does, not how it looks

Since appearance can be faked, the researchers propose checking behavior instead, in a tool they call SKILLDETONATE. It runs the skill in a sandbox and watches what it does at the operating-system level: what it reads, what it writes, where it sends data.

Two ideas make it work for agents. It tracks sensitive data by where it flows rather than what it looks like, so base64 or encryption doesn't throw it off. And it runs the instructions a skill builds only at runtime, which is exactly where the packing trick hides its payload.

In a controlled test, the checker caught 97% of attacks while wrongly flagging 2% of safe skills, a lower false-alarm rate than the scanners it beats, and it held steady when the skills were cloaked. On real-world malicious skills, it caught 87%.

Cisco's scanner, the strongest tested, went the other way: it caught 99% of the real-world skills before cloaking and about 10% after.

The catch is speed, a couple of minutes per skill against a scanner's few seconds, though it runs once, before a skill goes live. The work is a preprint and hasn't yet been peer-reviewed; the researchers have released their code.

Already happening in the wild

None of this is hypothetical. Public marketplaces are already full of malicious skills that scanners are not stopping: Bitdefender found roughly 17% of the skills it checked on one marketplace carried hidden malicious code, and Koi Security counted 341 in a single campaign it called ClawHavoc, as THN reported, later 824 as the marketplace grew.

Some use the paper's exact tricks. Of five evasive skills Unit 42 found still live on ClawHub despite its built-in scanning, one, omnicogg, padded its README with 22 MB of junk to slip past the scanner's size cap, the same size-padding operator the paper tests. Two more delivered Mac password-stealers, and two hijacked the agent's financial advice to push affiliate links and rig meme-coin launches.

The runtime gap shows up outside skill marketplaces, too. A clean-looking GitHub repository recently led Claude Code to open a reverse shell on the developer's own machine, handing the attacker remote control. The malicious code was never in the repo; the setup script fetched it at runtime from a DNS record, so a static scan had nothing to catch. Mozilla's 0DIN team traced the chain.

A related failure hits the tool descriptions that agents read through the Model Context Protocol. Microsoft warned that a poisoned description, changed after the tool was approved, quietly pushed a finance agent into leaking unpaid invoices. The mechanism is different, but the broken assumption is the same: that what passed review is what runs.

A few limits are worth stating plainly. No one has yet caught attackers using these exact packing tricks at scale; the real-world cases here are adjacent evasions, not SKILLCLOAK itself. The runtime checker is a research prototype, strong in the lab but untested on a live marketplace or under an attacker actively trying to evade it. And every performance number is the authors' own, from a paper that has not been peer-reviewed. The direction is well-evidenced; the specific figures deserve the usual caution owed to a single group's early work.

That is the real lesson, and it is where a growing line of work is converging. A scanner judges a skill by how it looks when it is submitted, but the malicious behavior only shows up once the skill runs, after the scan has passed. So the trust decision has to move from the marketplace gate to the machine where the skill executes.

What to hunt for? The paper's evasions leave signs a defender can look for, even on a skill that passed a scan:

  • Large or high-entropy files tucked in directories a scanner tends to skip, such as .git/ or build/.
  • Skills that unpack or assemble code only when they run, rather than shipping it in plain sight.
  • Files padded well past a sensible size, the trick that slips a skill under a scanner's size cap.

None of these is proof on its own. They are cheap first flags, not a verdict.

For teams using coding agents, that makes a "passed the scan" badge a starting point, not a guarantee. Keep static scanning as cheap hygiene, but watch what a skill does when it runs: the files it touches, the commands it runs, and where it sends data.

The paper offers concrete stopgaps too, like hashing a skill when it is scanned and re-checking before each run to catch payloads that unpack later, and flagging skills that ship opaque blobs in ignored folders or pad files past a size cap. None of those close the gap on their own, which is the point: the durable defense is watching behavior at runtime.

Beyond that, install only from a vetted source, give agents the least access they need, and don't run them on machines that hold the secrets worth stealing.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.