SkillCloak paper: static scanners miss 90%+ of agent skill malware
HKUST researchers show static scanners for AI agent skill marketplaces miss over 90% of malware repackaged with simple tricks. If you rely on them, that gate is broken.
Researchers at Hong Kong University of Science and Technology posted Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware this week — a paper that measures how well the static scanners guarding public “skill” marketplaces for AI coding agents actually catch malicious skills. The short version, as summarized by The Hacker News on July 6: they don’t. If your team was leaning on a marketplace scanner as a real control before installing skills into Claude Code, Codex, or OpenClaw, that gate is now demonstrably porous.
I’ve watched this movie once — npm, VS Code Marketplace, browser extensions — and every time the marketplace’s static scanner turned out to buy less than the platform said it did. Skills for AI agents are the next iteration of the same shape: a shared registry of third-party code that a developer clicks Install on, running with whatever permissions the agent has. Nothing about “AI” changes the marketplace problem.
What the paper actually measures
The team — Zimo Ji, Congying Xu, Zongjie Li, Yudong Gao, Xin Wei, Shuai Wang, and Shing-Chi Cheung — ran eight commercial and open-source scanners against 1,613 real malicious skills previously collected from ClawHub, and then re-ran the same test after passing those skills through their evasion framework, SkillCloak. Two evasion strategies:
- Structural Obfuscation — semantic-equivalent rewrites of the payload indicators the scanner is looking for.
- Self-Extracting Skill (SFS) packing — packages the malicious component so it only materializes at install time.
The numbers, per the abstract:
- SFS packing bypassed every scanner in the test at over 90%, and most at 99%+.
- Structural Obfuscation cleared 80%+ on static scanners and hit 96% on the strongest hybrid.
- Cisco — the strongest scanner in the test — dropped from about 99% detection pre-cloak to about 10% post-cloak, per The Hacker News’s summary.
The team also built and tested a behavior-based runtime auditor, SkillDetonate, which watches what a skill actually does in a sandbox. It caught 97% of attacks with a 2% false-positive rate in controlled testing, and 87% on real-world malicious skills.
I am not going to walk through what the specific rewrites look like. The paper does; that’s what a peer-reviewed research artifact is for. The relevant fact for defenders is not the recipe. The relevant fact is that the assumption “the marketplace scanner will catch obvious malware” no longer holds, and every operational control downstream needs to reflect that.
What to do — in priority order
1. Take the marketplace scanner out of your threat model as a preventive control, this week.
If your build docs, onboarding guides, or security runbooks say something like “skills are safe because the marketplace scans them,” rewrite that today. Not next sprint. Static scanning of skill packages is a detection control — sometimes it catches something obvious — not a prevention control. Anywhere your policy relies on that scan as the gate before install, close the gap with something else.
2. Restrict who can install skills, and from where, in every AI-agent tool your org runs.
Claude Code, Codex, and OpenClaw all support enterprise controls over skill sources: allowlists of trusted publishers, private-only marketplaces, install-approval workflows. Pick one, turn it on, and default users to “cannot install from public marketplace without review.” This is the same playbook that worked for npm at scale — it wasn’t glamorous and it wasn’t loved by developers, but it stopped the bleeding. Yes, it means dev workflow friction. That is the point.
3. Move detection to runtime, not install-time.
The paper’s own SkillDetonate result — 97% catch, 2% FP — is the direction of travel. You don’t have to run SkillDetonate specifically; the concept is what matters. Watch what installed skills actually do. EDR on the developer workstation catching outbound network calls from a “documentation formatter” skill is more useful than any package-time scan. If you already have EDR, add rules for the AI-agent processes: what should Claude Code’s helper process reasonably talk to, and what should fire an alert.
4. Inventory the skills already installed across your dev fleet, this month.
Every skill installed today was scanned by a control the researchers just showed can be beaten at 90%+. Treat everything already deployed as unknown-provenance third-party code with agent-level privileges and audit accordingly. Focus first on skills installed from public marketplaces by individual devs, then on skills bundled by the vendor. You are looking for skills that request outbound network access, filesystem write outside a project directory, or credential-store access — the same triage list you’d apply to any suspicious binary.
5. Watch for vendor responses over the next 30 days.
Anthropic, OpenAI, and OpenClaw all have skill marketplaces in the paper’s scope. Expect one or more of them to publish a response within the month — either a scanner update, a runtime sandboxing announcement, or an ecosystem policy change. When they do, read the actual changelog, not the marketing. “We’ve updated our scanners” without a change in the architecture (still install-time static analysis) does not meaningfully move the needle against SFS packing.
Priority call
Do #1 tonight — a five-minute doc edit is enough. Do #2 this week; it’s the durable defensive change and it doesn’t wait on any vendor. Everything else on the list is worth doing and none of it is urgent enough to skip #2 for.
If your org isn’t running AI coding agents yet and is evaluating them, the honest read is that the marketplace-scanner story any vendor tells you in a sales call is now less credible than it was a week ago. Ask about runtime controls, not scan coverage. The scan number is the one they can hit; the runtime story is the one that matters.
Sources
- Ji, Xu, Li, Gao, Wei, Wang, Cheung. Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware. arXiv preprint 2607.02357, July 2026.
- The Hacker News, New SkillCloak Technique Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing, July 6, 2026.
Found this useful? Share it.


