Full Report
Scanners meant to catch malicious add-on "skills" for AI coding agents can be fooled by a few simple changes that leave the malware working, according to a new study from researchers at the Hong Kong University of Science and Technology. Their strongest trick slipped past every scanner tested more than 90% of the time, and the same team built a runtime checker that catches most of the
Analysis Summary
# Research: Cloak and Detonate: Evading AI Agent Skill Scanners via Self-Extracting Packing
## Metadata
- **Authors**: Researchers from the Hong Kong University of Science and Technology (HKUST)
- **Institution**: Hong Kong University of Science and Technology
- **Publication**: ArXiv (Preprint) / Technical Analysis via The Hacker News
- **Date**: July 6, 2026
## Abstract
This research identifies a critical vulnerability in the ecosystem of AI coding agents (e.g., Claude Code, OpenAI Codex). It introduces **SKILLCLOAK**, an automated tool that rewrites malicious "skills" (add-on packages) to bypass static security scanners using obfuscation and self-extracting packing. The study also proposes **SKILLDETONATE**, a runtime behavior-based defense mechanism that achieves significantly higher detection rates against cloaked malware by monitoring OS-level actions in a sandbox.
## Research Objective
The research addresses the failure of current static analysis tools to secure AI agent marketplaces. It specifically seeks to answer:
1. Can malicious AI skills be systematically modified to evade modern security scanners while maintaining functionality?
2. Can a dynamic, behavior-based approach provide a more resilient defense than static signature matching?
## Methodology
### Approach
The researchers developed a dual-tool framework:
1. **Attack (SKILLCLOAK):** Implements two evasion strategies:
- **Lighter Rewriting:** Uses homoglyphs (look-alike characters) and command-splitting across newlines.
- **Self-Extracting Packing:** Moves the payload to hidden directories (e.g., `.git/`) and uses a decoder to reassemble the skill only at runtime.
2. **Defense (SKILLDETONATE):** A sandbox environment that records operating system events (file I/O, network calls) and tracks sensitive data flows back to their source.
### Dataset/Environment
- **Test Set:** 1,613 verified malicious skills sourced from "ClawHub" (a public AI skill marketplace).
- **Agents Tested:** Claude Code, OpenAI Codex, and OpenClaw.
- **Scanners Tested:** 8 industry-standard static scanners (including Cisco's security tool).
### Tools & Technologies
- **SKILLCLOAK:** Obfuscation and packing engine.
- **SKILLDETONATE:** Dynamic analysis sandbox/runtime checker.
- **Data Flow Tracking:** Monitors the movement of credentials, source code, and secrets within the agent's OS environment.
## Key Findings
### Primary Results
1. **High Evasion Rates:** The "Self-Extracting Packing" technique bypassed every tested scanner over 90% of the time, with many exceeding a 99% evasion rate.
2. **Scanner Fragility:** Cisco’s scanner—the top performer—dropped from a 99% detection rate to 10% after cloaking was applied.
3. **Execution Persistence:** Cloaked malicious skills remained 100% functional on major platforms like Claude Code and OpenAI Codex.
4. **Superior Defense:** The proposed runtime checker (SKILLDETONATE) caught 97% of attacks in controlled tests with a low 2% false-positive rate.
### Supporting Evidence
- Empirical testing on 1,613 real-world malicious skills shows that traditional "pattern matching" fails against context-aware AI add-ons.
- Dynamic analysis caught 87% of real-world malicious skills that were previously undetected by static tools.
### Novel Contributions
- **Automated AI Malware Obfuscation:** The first systematic framework for packing and cloaking AI "skills."
- **Path-Agnostic Detection:** Shifting defense from "what the code looks like" to "what the code does" at the kernel/OS level.
## Technical Details
The "Self-Extracting Packing" exploit leverages a common optimization in static scanners: to reduce overhead, scanners often skip configuration directories like `.git/` or hidden system files. SKILLCLOAK puts the malicious payload in these skipped sectors. It replaces the original high-level instructions with a "stub" (a decoder) that programmatically retrieves and executes the hidden malicious script only when the agent is triggered by a user prompt.
## Practical Implications
### For Security Practitioners
- **Trust No Marketplace:** Third-party "skills" for coding agents are currently a high-risk vector for supply chain attacks.
- **Access Control:** Agents frequently run with the same permissions as the user; a compromised skill has immediate access to local `.env` files, SSH keys, and source code.
### For Defenders
- **Move to Dynamic Analysis:** Static scanning (linting/regex) is insufficient for AI agents. Defenders should implement sandboxing or runtime monitoring for all non-native skills.
- **Monitor Hidden Directories:** Security tools must be configured to scan traditionally excluded directories (like `.git`) when dealing with AI-generated or AI-managed packages.
### For Researchers
- **Data Provenance:** Future research should focus on how to track data flow from sensitive files into the LLM context to prevent prompt-based data exfiltration.
## Limitations
- **Latency:** SKILLDETONATE takes minutes to run per skill, compared to seconds for static scanners.
- **Sandbox Sophistication:** Some advanced malware may detect it is in a sandbox and "stay quiet," evading dynamic detection.
- **Preprint Status:** The work has not yet completed formal peer review.
## Comparison to Prior Work
While previous work demonstrated individual "one-off" fake skills passing scanners, this research provides the first **systematic toolkit** (SKILLCLOAK) for mass-producing evasive AI malware. It also offers a tangible **architectural solution** (SKILLDETONATE) rather than just identifying the breach.
## Real-world Applications
- **Enterprise Vetting:** Large firms using AI agents can integrate SKILLDETONATE into their internal "App Store" vetting process.
- **Marketplace Guardianship:** Platforms like OpenAI or Anthropic could use these findings to harden their skill-loading mechanisms.
## Future Work
- Scaling runtime detection to handle the "speed vs. security" trade-off.
- Exploring if LLM-based scanners (using AI to catch AI malware) are susceptible to the same obfuscation techniques.
## References
- **Original Study:** *Cloak and Detonate: Evading AI Agent Skill Scanners via Self-Extracting Packing*.
- **Data Source:** [arxiv[.]org/abs/2607.02357]
- **Related News:** The Hacker News (July 2026) regarding "ClawHavoc" campaigns.