alexi.sh
All articlesBrowser securityNetwork privacyPrivacy toolingThreat modelingAI codingDev tooling

alexi.shAI Engineering Lab

ai-coding

AI Agent Skills Are a New Malware Supply Chain: Inside SkillCloak

PrivSec Lab3 min read
Colourful source code displayed on a dark computer screen

Researchers showed that malicious AI agent skills can hide from static scanners using a technique called SkillCloak, and real malicious skills have appeared on agent marketplaces. What skills are, how the evasion works, and how to stay safe.

AI coding agents are getting a plugin problem. Agents like Claude Code, OpenAI Codex and OpenClaw load skills - small add-ons that give them new abilities. New research, reported by The Hacker News, shows those skills can smuggle malware past security scanners, and real malicious skills have already turned up on an agent marketplace. Here is what is going on and how to stay safe. For the wider topic, see our AI agent security guide.

What an agent "skill" is

A skill is a small package, usually a Markdown instruction file plus a few scripts, that an agent loads to pick up a new capability. It is the plugin model for AI coding agents.

The catch: a skill can include scripts with broad access to your local system. So a marketplace of skills - like ClawHub, the store for the OpenClaw agent - becomes a software supply chain. And supply chains are exactly where attackers like to hide.

How SkillCloak hides malware

According to the research reported by The Hacker News, SkillCloak is a payload-preserving evasion framework. It keeps a malicious skill's behavior intact while changing how it looks to a scanner. It uses two methods:

  • Structural obfuscation. Rewrite the give-away strings a scanner keys on - for example, swap a character for a look-alike from another alphabet, or split a flagged command across a line break. The code still runs; the pattern no longer matches.
  • Self-extracting packing. Move the whole payload into a place the scanner skips, such as a .git/ directory, behind a harmless-looking decoder that rebuilds the skill only when the agent runs it. At install time there is nothing to see.

A hand typing on a laptop showing green terminal output in a dark room

The numbers are not reassuring

According to the research, the team tested these methods across eight scanners and 1,613 real-world malicious skills. The results:

  • Self-extracting packing bypassed every scanner at over 90%.
  • Structural obfuscation bypassed more than 80% on most static scanners, and 96% on a hybrid scanner.

In other words, static scanning of skills is not enough on its own. If a scanner only inspects the bytes, a payload-preserving transform can walk right past it.

This is not just theory

Real malicious skills have appeared in the wild. According to analysis from Palo Alto's Unit 42 and other security researchers, malicious skills found on the ClawHub marketplace fell into categories including macOS infostealer delivery, scanner evasion through file padding, and agentic abuse for financial gain. The supply-chain risk is live, not hypothetical.

How to stay safe

Treat an agent skill like any untrusted dependency, because that is what it is:

  • Install only from sources you trust, and prefer skills you can read.
  • Read what it does before you run it - the scripts, not just the description.
  • Give it least privilege: the smallest system and network access it needs.
  • Run it in a sandbox that limits what it can reach.
  • Favor behavior-based checks. Since static scanners can be fooled, watch what a skill actually does at runtime, not just what its code looks like. The same research points to behavior-based auditing as the more robust answer.

The honest takeaway

Two caveats. First, SkillCloak is research, reported by The Hacker News and tied to real marketplace findings - a demonstrated weakness, not a claim of mass compromise. Second, the fix is known: least privilege, sandboxing, and behavior-based detection. None of that is exotic; it is standard supply-chain hygiene applied to a new place.

The honest read: AI agent skills are powerful because they run real code, and dangerous for the same reason. As agents load more third-party skills, the marketplace becomes a target, and static scanning alone will not hold. Treat skills like dependencies, sandbox them, and watch behavior. For choosing trustworthy tools in the first place, our best coding LLMs 2026 overview helps.

Photo: Pexels (source)

Also available in

FAQ

What is an AI agent skill?
A skill is a small package - usually a Markdown instruction file plus a few scripts - that an agent loads to gain a new ability. Agents such as Claude Code, OpenAI Codex and OpenClaw use them. Because a skill can carry scripts with broad local system access, a marketplace of skills becomes part of the software supply chain, and a risky one if a skill is malicious.
What is SkillCloak?
According to research reported by The Hacker News, SkillCloak is a payload-preserving evasion framework: it keeps a malicious skill's behavior intact while changing how it looks to a scanner. It uses two methods - structural obfuscation (rewriting give-away strings into look-alike forms) and self-extracting packing (hiding the payload where scanners do not look, then rebuilding it when the agent runs).
How well does SkillCloak evade scanners?
According to the research, across eight scanners and 1,613 in-the-wild malicious skills, the self-extracting packing bypassed every scanner at over 90%, and structural obfuscation bypassed more than 80% on most static scanners and reached 96% on a hybrid scanner. The takeaway is that static scanning of skills is not enough on its own.
How do I use AI agent skills safely?
Treat a skill like any untrusted dependency. Install only from sources you trust, read what it does, give it the least access it needs, and run it in a sandbox that limits system and network reach. Because static scanners can be fooled, favor behavior-based checks - watch what a skill actually does at runtime, not just what its code looks like.