AI coding agents are getting a plugin problem. Agents like Claude Code, OpenAI Codex and OpenClaw load skills - small add-ons that give them new abilities. New research, reported by The Hacker News, shows those skills can smuggle malware past security scanners, and real malicious skills have already turned up on an agent marketplace. Here is what is going on and how to stay safe. For the wider topic, see our AI agent security guide.
What an agent "skill" is
A skill is a small package, usually a Markdown instruction file plus a few scripts, that an agent loads to pick up a new capability. It is the plugin model for AI coding agents.
The catch: a skill can include scripts with broad access to your local system. So a marketplace of skills - like ClawHub, the store for the OpenClaw agent - becomes a software supply chain. And supply chains are exactly where attackers like to hide.
How SkillCloak hides malware
According to the research reported by The Hacker News, SkillCloak is a payload-preserving evasion framework. It keeps a malicious skill's behavior intact while changing how it looks to a scanner. It uses two methods:
- Structural obfuscation. Rewrite the give-away strings a scanner keys on - for example, swap a character for a look-alike from another alphabet, or split a flagged command across a line break. The code still runs; the pattern no longer matches.
- Self-extracting packing. Move the whole payload into a place the scanner skips, such as a
.git/directory, behind a harmless-looking decoder that rebuilds the skill only when the agent runs it. At install time there is nothing to see.

The numbers are not reassuring
According to the research, the team tested these methods across eight scanners and 1,613 real-world malicious skills. The results:
- Self-extracting packing bypassed every scanner at over 90%.
- Structural obfuscation bypassed more than 80% on most static scanners, and 96% on a hybrid scanner.
In other words, static scanning of skills is not enough on its own. If a scanner only inspects the bytes, a payload-preserving transform can walk right past it.
This is not just theory
Real malicious skills have appeared in the wild. According to analysis from Palo Alto's Unit 42 and other security researchers, malicious skills found on the ClawHub marketplace fell into categories including macOS infostealer delivery, scanner evasion through file padding, and agentic abuse for financial gain. The supply-chain risk is live, not hypothetical.
How to stay safe
Treat an agent skill like any untrusted dependency, because that is what it is:
- Install only from sources you trust, and prefer skills you can read.
- Read what it does before you run it - the scripts, not just the description.
- Give it least privilege: the smallest system and network access it needs.
- Run it in a sandbox that limits what it can reach.
- Favor behavior-based checks. Since static scanners can be fooled, watch what a skill actually does at runtime, not just what its code looks like. The same research points to behavior-based auditing as the more robust answer.
The honest takeaway
Two caveats. First, SkillCloak is research, reported by The Hacker News and tied to real marketplace findings - a demonstrated weakness, not a claim of mass compromise. Second, the fix is known: least privilege, sandboxing, and behavior-based detection. None of that is exotic; it is standard supply-chain hygiene applied to a new place.
The honest read: AI agent skills are powerful because they run real code, and dangerous for the same reason. As agents load more third-party skills, the marketplace becomes a target, and static scanning alone will not hold. Treat skills like dependencies, sandbox them, and watch behavior. For choosing trustworthy tools in the first place, our best coding LLMs 2026 overview helps.



