Researchers from the Hong Kong University of Science and Technology (HKUST) have identified a novel evasion technique, dubbed SkillCloak, that allows malicious add-on skills for AI coding agents to slip past static security scanners. The method employs self-extracting packing to obfuscate malicious code, rendering conventional detection tools ineffective.
According to the study, SkillCloak's strongest variant bypassed every scanner tested more than 90% of the time. This high success rate underscores a critical gap in current security measures designed to vet third-party skills for AI agents. The team also developed a runtime checker that successfully catches most of the evasive samples.
The technique exploits a fundamental limitation in static analysis: scanners inspect skills before execution, but SkillCloak's packing mechanism delays revealing malicious payloads until runtime. This one-two punch of evasion and delayed payload delivery makes detection particularly challenging. The researchers demonstrated the attack against multiple industry-standard scanning tools.
No specific CVEs or patch timelines have been published yet. Developers are advised to implement runtime behavioral monitoring for AI agent skills as a stopgap measure. Platform providers may need to rethink their vetting pipelines to include dynamic analysis rather than relying solely on static scanning.
The attack highlights a growing security concern in the AI supply chain. As AI coding agents become more autonomous, the risk of weaponized third-party skills rises. The HKUST team's work signals an urgent need for the industry to develop more robust detection frameworks.