Study says AI coding agent skill scanners can be evaded with simple cloaking tricks

by

A new technical analysis from researchers at the Hong Kong University of Science and Technology says scanners meant to catch malicious add-on skills for AI coding agents can be bypassed with simple changes, with one cloaking method evading every scanner tested more than 90% of the time.

KEY FACTS

  • Scope The study tested eight scanners and 1,613 malicious skills from a public marketplace.
  • Top result One packing method slipped past each scanner more than 90% of the time.
  • Defense A runtime checker called SKILLDETONATE caught 97% of attacks in controlled tests.
  • Limit The paper has not been peer-reviewed and the code was released by the authors.

The research says SKILLCLOAK can rewrite a malicious skill so it looks harmless while keeping the same behavior. One method swaps characters with look-alikes or splits commands across lines, while another hides the payload in folders scanners often skip, such as .git/, and rebuilds it only when the agent runs.

On the tested datasets, the packing method beat every scanner more than 90% of the time and passed most of them more than 99% of the time. The lighter rewriting method cleared more than 80% on most scanners and 96% on one. The cloaked skills still worked on Claude Code and OpenAI Codex.

To counter that, the report describes a runtime checker that watches what a skill reads, writes and sends at the operating-system level. In controlled tests it caught 97% of attacks and wrongly flagged 2% of safe skills, while catching 87% of real-world malicious skills.

The authors also point to related cases outside the study, including malicious skills found in public marketplaces and a GitHub repository that led Claude Code to open a reverse shell after fetching code at runtime. Microsoft separately warned that a poisoned tool description changed after approval could also lead an agent to leak data.

WHY IT MATTERS

The findings suggest that scanning a skill before installation may not be enough when malicious code can unpack or activate only at runtime. For teams using AI coding agents, the practical takeaway is to treat a passed scan as only one control and to watch what a skill does after it starts running.