Study Shows Malicious AI Agent Skills Can Hide from Static Scanners with Packing Tricks

Researchers at the Hong Kong University of Science and Technology say malicious add-on “skills” for AI coding agents can be modified to bypass static security scanners without breaking their behavior....

Researchers at the Hong Kong University of Science and Technology say malicious add-on “skills” for AI coding agents can be modified to bypass static security scanners without breaking their behavior. In a preprint paper titled Cloak and Detonate, the team describes a system called SKILLCLOAK that disguises harmful skills so they look benign during inspection but still execute normally when loaded by an agent.

How the evasion works

AI agent skills are small bundles of instructions and scripts used by tools such as Claude Code, OpenAI Codex, and OpenClaw. Because they can run with the agent’s own access, a malicious skill may be able to steal credentials, copy code, or install backdoors.

The researchers tested two main evasion techniques. One approach makes small text changes that preserve functionality, such as replacing characters with visually similar ones from other alphabets or splitting suspicious commands across lines. The more effective method, called self-extracting packing, hides the payload in folders that scanners often ignore, such as .git/, then reconstructs it only at runtime through an apparently harmless decoder.

Across eight scanners and 1,613 malicious skills from a public marketplace, the packing method bypassed every scanner more than 90% of the time and, in many cases, more than 99%. The lighter rewriting method also achieved high bypass rates, often above 80%.

Runtime detection performs better

To address the limits of static review, the team built SKILLDETONATE, a sandbox-based checker that watches what a skill does after launch. Instead of relying on file contents alone, it tracks file access, writes, and network activity at the operating-system level. In the authors’ tests, the runtime tool detected 97% of attacks in a controlled environment with a 2% false-positive rate, and it remained effective against cloaked skills.

The findings arrive amid broader concerns about malicious content in AI tool marketplaces. Security firms have already reported hidden code, credential theft, and other abuse in public repositories and agent ecosystems. The paper has not yet been peer reviewed, and the runtime detector is a research prototype, but the authors argue the results show why “passed static scan” should not be treated as a guarantee of safety.

  • Static scanners can miss malicious skills that are repackaged or padded.
  • Runtime behavior is a more reliable signal than appearance alone.
  • Security teams should watch for unpacking behavior, unusual file locations, and excessive file padding.