// 2 ZERO-DAY · 3 CVE · 4 EXPLOIT · 1 ADVISORY IN THE LAST 24H
ESET detected over 3,000 malicious skills among nearly 900,000 analyzed. The SkillCloak technique bypasses static scanners in more than 90% of cases, leaving organizations vulnerable to a new supply-chain vector targeting AI agents with privileged access.

ESET analyzed nearly 900,000 AI skills in the first half of 2026, uncovering over 3,000 malicious ones and more than 25,000 suspicious skills capable of executing commands, accessing files, and stealing data. This is not anecdotal: the count rose from roughly 600 malicious skills in March to over 3,000 in May, while the volume of scanned skills exploded from 60,000 to nearly 900,000 in the same period. The stakes are a new supply-chain vector that directly hits teams using AI agents with privileged access.

Key Takeaways
  • ESET detected over 3,000 malicious skills among nearly 900,000 analyzed in H1 2026, with growth from roughly 600 in March [SOURCE 1]
  • The SkillCloak technique, developed by HKUST researchers, evaded 8 static scanners across 1,613 real malicious skills with an evasion rate exceeding 90%, often surpassing 99% [SOURCE 2]
  • Malicious behavior manifests at runtime, not at submission: scanners read files during submit, but the payload activates only on execution [SOURCE 2]
  • Bitdefender found roughly 17% of skills on a public marketplace harboring hidden malicious code; Unit 42 identified 5 evasive skills still live despite the platform's built-in scanning [SOURCE 2]

How the Gap Works: Static Scanning vs. Runtime Execution

Marketplace scanners examine skill files at submission, hunting for known patterns, suspicious code signatures, and recognizable behaviors. The malicious skill passes the check, earns a security badge, gets indexed, and is downloaded. Only when the AI agent executes it does the payload reveal itself: shell commands, file-system access, third-party tool downloads, code injection into the agent's context.

The HKUST research group, reported by The Hacker News, formalized this gap in the paper "Cloak and Detonate." Researchers tested 8 commercial and open-source scanners against 1,613 real malicious skills using the SkillCloak technique based on self-extracting packing. The result: evasion rates above 90%, with peaks beyond 99% on some scanners. The payload hides in ignored directories such as .git/ or is rewritten with patterns that dodge static signatures, activating only at runtime.

The skill inherits the host agent's privileges: file system, terminal, saved passwords. This is what distinguishes the risk from a traditional software supply chain. The AI agent operates in the user's context, with valid credentials and privileged access. A malicious skill does not need to exploit a vulnerability; it already runs with the agent's permissions.

Ecosystem Numbers: From ESET to Live Marketplaces

Quantitative data converges from multiple sources. ESET analyzed nearly 900,000 skills with growth from 60,000 to May 2026, identifying over 3,000 malicious skills and more than 25,000 suspicious ones [SOURCE 1]. Bitdefender detected roughly 17% of skills on a public marketplace containing hidden malicious code [SOURCE 2]. Koi Security counted 341 skills in the ClawHavoc campaign, later rising to 824, on an expanding marketplace [SOURCE 2]. Unit 42 found 5 evasive skills still live on ClawHub despite the platform's integrated scanning [SOURCE 2].

Capabilities identified by ESET span the full spectrum of agentic abuse: command execution, file access, third-party tool downloads, credential harvesting, code injection, obfuscation [SOURCE 1]. Anton Mäčko, Malware Analyst at ESET, stated that "AI skills can enable a wide range of agentic abuses, from automated reconnaissance and red-team-style attacks to spam generation, malware modification, and distribution." He added that "adversaries will continue to test these approaches to bypass controls, including by obfuscating intent or using regional, niche, or constructed languages."

"A scanner judges a skill by how it looks when it is submitted, but the malicious behavior only shows up once the skill runs, after the scan has passed" — HKUST paper summary, The Hacker News

The Defensive Paradigm: From Artifact Checks to Behavior Monitoring

The HKUST research proposed SKILLDETONATE, an OS-level sandbox prototype that executes the skill in an isolated environment before installation. Reported figures: 97% detection in lab, 87% on real skills, 2% false positives [SOURCE 2]. It remains an academic prototype: not documented as tested on live marketplaces nor ready for commercial deployment. The paper itself is not peer-reviewed at the time of publication.

The trust model based on pre-installation badges replicates traditional app-store mistakes, but with an impact multiplier: the agent has privileged access and operates autonomously. "Passed the scan" becomes a trap when scanning is static and behavior is dynamic.

No infrastructure overlaps emerge in the dossier linking the ClawHavoc campaigns or SkillCloak techniques to known threat-actor groups. It is not documented whether SkillCloak is already used in-the-wild or remains a lab demonstration. Confirmed victims, documented incidents, and quantified damages are absent.

What to Do Now

For teams managing AI agents with access to enterprise systems, the dossier points to three concrete actions. First: treat every skill as unverified code until executed in an isolated sandbox, regardless of the marketplace badge. Second: monitor the agent's runtime for anomalous behavior — command execution, file access outside expected scope, third-party tool downloads — rather than relying on pre-installation signatures. Third: segment the AI agent's privileges so a compromised skill does not inherit full access to codebases, databases, or cloud environments.

The shift from static verification to runtime monitoring is incomplete in the market. SKILLDETONATE shows a direction but is not available as an operational tool. Teams must assume current skills pass static checks and prepare behavioral defenses accordingly.

Frequently Asked Questions

What is the difference between "malicious" and "suspicious" skills in the ESET report?

The dossier does not specify the classification methodology or distinctive criteria. ESET reports over 3,000 malicious skills and more than 25,000 suspicious ones, without detailing how categorization between the two groups occurs.

Is SkillCloak already used in real attacks or is it only academic research?

The brief does not document SkillCloak being employed in-the-wild. The real evasions documented on live marketplaces (5 skills on ClawHub, 17% from Bitdefender) use "adjacent" techniques but are not identified as SkillCloak specifically. The HKUST paper is a lab demonstration on 1,613 real skills.

Can security teams use SKILLDETONATE to protect themselves?

No. SKILLDETONATE is a research prototype with promising results but not tested on live marketplaces nor available as an operational tool. The brief indicates no commercialization roadmap nor independent validation.

Sources

Information is based on cited sources and current as of publication.

Sources


Sources and references
  1. helpnetsecurity.com
  2. thehackernews.com