Static scanners designed to detect malicious add-on “skills” for AI programming agents such as Claude Code, OpenAI Codex, and OpenClaw are systematically bypassed using simple cloaking techniques. According to the Cloak and Detonate preprint by researchers from the Hong Kong University of Science and Technology, the most effective technique — self-unpacking packaging — evades each of the eight tested scanners in more than 90% of cases. Teams that use AI agents for development need to understand that a “passed scan” label on a skill marketplace does not guarantee safety, and real protection requires controlling the skill’s behavior at runtime.
What skills are and why they are dangerous
Skills are small packages, typically consisting of a Markdown instruction file and a few scripts. Agents load them to gain new capabilities. Since a skill is just a set of files, the same package can run on different agents, inheriting their level of access: to the file system, terminal, and stored credentials. According to the researchers, a malicious skill can steal credentials, copy source code, or install a backdoor. At the same time, most skills on public marketplaces are uploaded by third-party users with minimal vetting.
How SKILLCLOAK evades scanners
The researchers built a tool called SKILLCLOAK that rewrites a malicious skill so it appears benign while preserving its original behavior. Two approaches are used.
Lightweight rewriting modifies the signature bytes the scanner reacts to: replacing characters with visually identical characters from another alphabet (homoglyphs), or splitting a flagged command across a line break. The scanner’s pattern no longer matches, but the command still executes. According to the authors, this method bypasses more than 80% of scanners, and on one of them — 96%.
Self-unpacking packaging is a more radical technique. The payload is moved into a directory that scanners skip (for example, .git/) and hidden behind a harmless-looking decoder that reconstructs the skill only when the agent runs it. Scanners ignore such directories to save time and reduce false positives — it is precisely this blind spot that the attack exploits.
In tests on 1,613 real malicious skills from the ClawHub marketplace, the packaging bypassed each of the eight scanners in more than 90% of cases, and most of them in more than 99%. On the Claude Code and OpenAI Codex agents, the cloaked skills reportedly worked just as effectively as the originals. The Cisco scanner, which showed the best result among static solutions, detected 99% of malicious skills before cloaking and only about 10% afterward.
SKILLDETONATE: defense through behavior analysis
Since the outward appearance of a skill is easy to fake, the researchers proposed a tool called SKILLDETONATE that checks behavior. The skill is run in an isolated environment (sandbox) where its actions are tracked at the operating system level: file reads and writes, network connections, and data transfer directions.
Two key principles make the approach effective for agent environments. First, tracking of sensitive data is done by flows rather than by contents, so Base64 encoding or encryption does not help an attacker evade detection. Second, instructions that the skill generates only at runtime are executed precisely at execution time — where the packaging hides the payload.
In controlled tests, SKILLDETONATE, according to the authors, detected 97% of attacks at a 2% false positive rate — lower than the static scanners. On real malicious skills, the detection rate was 87%. The results remained stable even after the skills were cloaked. The trade-off is speed: checking a single skill takes several minutes versus a few seconds for a scanner, but it is performed once, before deployment.
Important caveat: the work is a preprint, has not undergone peer review, and all quantitative results were obtained by a single research group. Specific figures should be treated as preliminary.
Threats are already materializing in practice
The problem is not merely theoretical. According to Bitdefender, roughly 17% of the skills examined on one marketplace contained hidden malicious code. Koi Security found 341 malicious skills as part of the ClawHavoc campaign.
Some real-world attacks use techniques similar to those described in the study. According to Unit 42, five malicious skills that had passed built-in scanning were found on ClawHub. One of them — omnicogg — padded its README file with 22 MB of junk data to exceed the scanner’s size limit. Two others delivered password-stealing programs for macOS, and another two manipulated the agent’s financial recommendations to promote affiliate links and meme-token schemes.
The gap between static checking and runtime behavior also shows up beyond skill marketplaces. The Mozilla 0DIN team documented a case where an apparently safe GitHub repository caused Claude Code to open a reverse shell on a developer’s machine. The malicious code was absent from the repository itself — the installation script downloaded it at runtime from a DNS record, leaving nothing for a static scanner to detect.
Microsoft warned of a related vector: a poisoned tool description in the Model Context Protocol, modified after approval, caused a financial agent to leak data about unpaid invoices. The mechanism is different, but the violated assumption is the same: that what passed review is what gets executed.
It should also be noted that none of the sources in the available materials confirms that SKILLCLOAK’s exact techniques are already being used by attackers at scale. Real-world cases involve related evasion methods rather than an exact reproduction of the described tooling.
Practical recommendations
For teams that use AI agents in development, the study outlines specific indicators to watch for even if a skill has successfully passed scanning:
- Large files or files with high entropy in directories that scanners typically skip (
.git/,build/). - Skills that unpack or assemble code only at runtime instead of shipping it in clear form.
- Files padded with data far beyond a reasonable size — a trick for bypassing scanner limits.
Beyond indicators, the authors propose concrete defensive measures:
- Hash the skill at scan time and re-check the hash before each run, to detect payloads that unpack after verification.
- Monitor behavior at runtime: which files the skill reads and modifies, which commands it launches, and where it sends data.
- Principle of least privilege: agents should be given only the access strictly necessary for the specific task.
- Environment isolation: do not run agents on machines that hold critical secrets — API keys, access tokens, private keys.
- Install skills only from vetted sources, without relying on public marketplaces as the sole filter.
Static scanning remains useful as basic hygiene, but this study — together with real incidents from Unit 42, Bitdefender, and Mozilla 0DIN — demonstrates its fundamental limitation: a scanner evaluates a skill at download time, whereas malicious behavior manifests at runtime. For organizations integrating AI agents into development workflows, the priority should be to move from trusting static scan results to controlling skill behavior in the execution environment — through sandboxes, system call monitoring, and tracking data flows.