HKUST: SkillCloak Bypasses AI Agent Scanners 90%+ of Time

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- HKUST researchers published a preprint paper titled 'Cloak and Detonate' introducing SKILLCLOAK, a tool that rewrites malicious AI agent 'skills' so they pass pre-installation scanners while behaving identically at runtime.
- SKILLCLOAK's self-extracting packing technique evaded all eight scanners tested more than 90% of the time across 1,613 real malicious skills pulled from ClawHub, and surpassed 99% evasion on most of them.
- The lighter text-rewriting method cleared more than 80% on most scanners and 96% on one, while cloaked skills retained full functionality on Claude Code and OpenAI Codex at almost no cost to the attacker.
- The same team built SKILLDETONATE, a runtime behavior checker that watches what a skill reads, writes, and sends at the OS level, catching 97% of attacks with 2% false positives in lab tests and 87% on real-world malicious skills.
- Cisco's scanner, the strongest static defense tested, caught 99% of real-world malicious skills before cloaking but only about 10% after.
- Real-world marketplaces already show the gap: Bitdefender found roughly 17% of skills on one marketplace carried hidden malicious code, and Koi Security counted 341 malicious skills (later 824) in a single 'ClawHavoc' campaign.
- Unit 42 found five evasive skills still live on ClawHub despite its built-in scanning, including one — omnicogg — that padded its README with 22 MB of junk to slip past the scanner's size cap, the same trick the paper tests.
Why it matters: For any team using coding agents like Claude Code or OpenAI Codex, a 'passed the scan' badge is no longer a guarantee — SKILLCLOAK's packing trick evades every tested scanner over 90% of the time while preserving full malicious functionality, and Bitdefender has already found ~17% of marketplace skills carrying hidden malicious code. The paper argues trust has to move from the marketplace gate to runtime behavior monitoring on the machine where the skill actually runs.




