// 2 CVE · 1 EXPLOIT IN THE LAST 24H
HKUST researchers demonstrate that static scanners on AI skill marketplaces systematically fail against active evasion techniques. The "passed the scan" badges relied upon by thousands of enterprises to authorize skill installations in privileged development environments are a technical placebo.

HKUST researchers published the paper "Cloak and Detonate" on July 3, 2026, a framework that exposes the inadequacy of static scanners on AI agent skill marketplaces. They prove it with numbers: over 90% bypass rates on every scanner tested, with most exceeding 99%. The message is clear: the "passed the scan" badge, which thousands of enterprises rely on to authorize skill installations in development environments with privileged access, is a technical placebo.

Key Takeaways
  • SkillCloak uses Self-Extracting Skill Packing and Structural Obfuscation to hide malicious payloads from static scanners, achieving bypass rates above 90% on 1,613 real malicious skills tested.
  • Cisco's static scanner, the best in the test battery, collapses from 99% detection to 10% after cloaking techniques are applied.
  • Obfuscated skills retain identical functionality on Claude Code and OpenAI Codex: the user perceives no operational difference.
  • SkillDetonate, the researchers' proposed runtime defense, detects 97% of attacks with a 2% false positive rate, but remains a research prototype not yet tested on live marketplaces under active attack.
  • Unit 42 has already found evasive skills live on ClawHub using adjacent techniques: 22 MB padding, a macOS password stealer, and financial advice hijacking.

How Evasion Works: SFS Packing and Scanners Looking in the Wrong Place

The core mechanism is Self-Extracting Skill Packing. The malicious payload is hidden in directories that scanners are configured to skip — recurring examples in the paper are .git/ and build folders — or inside encoded blobs that an innocuous-looking decoder reconstructs only at agent execution time. The fundamental assumption that static scanners violate: that the payload is visible at install time. It is not.

The second technique, Structural Obfuscation, semantically rewrites malicious indicators without altering their functionality. Homoglyphs, command splitting across newlines, and rephrasing that breaks scanner pattern matching while preserving executable semantics. The result: 80% bypass on static scanners and 96% on a hybrid scanner, according to the HKUST researchers' "Cloak and Detonate" paper.

"SFS Packing bypasses every scanner at over 90%, while Structural Obfuscation bypasses over 80% on most static scanners and reaches 96% on a hybrid scanner" — Paper "Cloak and Detonate", HKUST

The Best Scanner Collapses: From 99% to 10% with a Shape Shift

>The most striking drop concerns Cisco's scanner, considered the best static scanner in the test battery. Before cloaking: 99% detection. After: roughly 10%. The figure is not marginal: it means the market's most aggressive certification system becomes useless against an attacker applying techniques documented in an academic preprint.

Obfuscated skills, in the researchers' tests, "cause no statistically detectable loss in skill utility" on Claude Code and OpenAI Codex. The user installs, the agent executes, the payload manifests. The chain of trust breaks invisibly.

The paper is not peer-reviewed: the numbers are self-reported. But convergence with already-documented real-world cases — omnicogg with 22 MB padding found by Unit 42 on ClawHub, the AIR campaign with fake skills reaching roughly 26,000 agents — corroborates the scenario's plausibility. The Hacker News, in reporting the paper, explicitly limited the scope: "No one has yet caught attackers using these exact packing tricks at scale; the real-world cases here are adjacent evasions, not SkillCloak itself."

Runtime as the Only Line: SkillDetonate and Its Limits

The researchers propose SkillDetonate, a runtime detection system that executes skills in a sandbox before authorizing them for operation. The reported benchmark: 97% detection with 2% false positives on SkillJect, a dataset of 150 controlled skills. On real malicious skills from MalSkillBench, detection holds at 87% even against cloaking.

The comparison with static scanners is stark: "31% more than the best static scanner and 62% more than a naive OpenCode based agent detector." But the paper does not precisely quantify execution speed in a live marketplace with tens of thousands of skills. Runtime analysis time — minutes versus seconds — is an untested cost factor. It is also unclear whether SkillDetonate would withstand an attacker actively modifying evasion tactics during a session.

The current ecosystem offers no mature alternatives. The paper "Malicious Agent Skills in the Wild" mapped 157 malicious skills with 632 vulnerabilities; Bitdefender estimated roughly 17% of skills on a marketplace are malicious; Koi Security documented the ClawHavoc campaign, which grew from 341 to 824 skills. The scale is already significant: over 40,000 skills on open marketplaces, with rapid growth from 2025 standards.

What to Do Now

The following actions are derived from the facts documented in this dossier and the cited real-world campaigns:

  • Treat the "passed the scan" badge as non-binding. The Cisco data — 99% to 10% — proves static certification is reversible with known techniques. Do not authorize installation of skills from public marketplaces in environments with access to code repositories or credentials based solely on badges.
  • Shift controls from the installation gate to agent runtime. The paper proposes pre-execution sandboxing; enterprises must evaluate whether their agent architectures allow isolated execution of unverified skills. The SkillDetonate data — 97% detection, 2% FP — indicates the direction, but no equivalent commercially validated products exist at this time.
  • Apply least privilege to coding agents. The June 17, 2026 attack on 14 companies via Claude and Codex, documented separately, exploited agents with excessive permissions. Restricting access to filesystem, network, and APIs reduces the impact surface even if the skill is malicious.
  • Continuously verify already-installed skills. Microsoft has warned of poisoned MCP descriptions modified post-approval; Mozilla 0DIN has tracked attacks via clean GitHub repositories that fetch payloads at runtime via DNS. The threat is not only at installation: it persists over time.

The SolarWinds Replay, But Faster

The traditional software supply chain trust chain collapsed with SolarWinds because digital signatures and static review were insufficient against a patient attacker. The AI agent ecosystem replicates the same fragility with superior distribution velocity: a malicious skill can reach 26,000 installations in timeframes that traditional software required months to achieve. The difference is that here the "compromise" is not a signed binary: it is natural language that appears useful, obfuscated so scanners do not recognize it as a threat until execution.

The real control cannot remain at the marketplace gate. It must shift to the agent runtime, where the payload manifests — or where a sandbox like SkillDetonate can intercept it. The researchers have provided the proof of feasibility; the market has not yet delivered the industrial response.

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. helpnetsecurity.com
  3. arxiv.org