Agent Skill Malware Can Bypass Scanners Used to Protect Claude Code and OpenAI Codex


New research warns that malicious agent skills can be disguised to bypass scanners used to protect AI coding assistants, including Claude Code and OpenAI Codex. The study shows that attackers can change how a harmful skill looks while keeping its malicious behavior intact.

The findings come from the paper Cloak and Detonate, which tested a framework called SkillCloak against eight skill scanners and 1,613 real malicious skills. The researchers found that self-extracting skill packing bypassed every scanner more than 90% of the time.

The risk matters because agent skills can package instructions, scripts, and resources that agents load during work. Anthropic says Agent Skills can be created for Claude Code and uploaded through Claudeโ€™s products, while OpenAI says Codex skills can extend Codex with task-specific workflows.

What are agent skills?

Agent skills are reusable packages that give an AI agent a specific capability or workflow. The open standard describes a skill as a folder that includes a SKILL.md file with metadata and instructions, plus optional scripts, references, assets, and other supporting files.

The Agent Skills standard describes the format as a lightweight way to extend agents with specialized knowledge and repeatable workflows. That design helps developers move faster, but it also creates a new supply chain risk when users install skills from public marketplaces or unknown repositories.

A skill can look like a small productivity add-on, but it may run with broad access through the agent that loads it. If the agent can read local files, run terminal commands, use credentials, or connect to APIs, a malicious skill can try to abuse that same access.

TermMeaningSecurity concern
Agent skillA folder containing instructions, resources, and optional scripts for an AI agentCan inherit the permissions available to the agent
SKILL.mdThe main instruction and metadata file for a skillCan hide risky instructions in natural language
Static scannerA tool that reviews a skill before executionMay miss payloads that appear only at runtime
Runtime auditorA tool that watches behavior during executionCan detect suspicious file, process, and network activity

SkillCloak shows how scanner evasion works

SkillCloak uses two evasion strategies. The first is Structural Obfuscation, which rewrites visible indicators such as suspicious commands, URLs, or credential references into different forms that preserve the same behavior.

The second method is Self-Extracting Skill Packing. Instead of leaving the payload visible during installation, the skill hides the harmful component and rebuilds it only when the agent runs the skill. The arXiv paper says this approach bypassed all eight tested scanners at rates above 90%.

This exposes a weak point in appearance-based scanning. A scanner may approve a package because the visible files look safe, while the agent later reconstructs or loads the dangerous parts during execution.

Why Claude Code and OpenAI Codex users should care

Claude Code and Codex both support skill-based workflows, which makes the research relevant to modern AI coding environments. These tools can help developers automate file edits, run tests, generate code, and follow repeatable procedures across projects.

Anthropicโ€™s Claude skills documentation says custom skills can package domain expertise and organizational knowledge. OpenAIโ€™s Codex skills documentation says a skill can include instructions, resources, and optional scripts so Codex can follow a workflow reliably.

Overview of SKILLCLOAK and SKILLDETONATE (Source – Arxiv)

Those capabilities become risky when the source is untrusted. A malicious skill can use the agentโ€™s own permissions to reach source code, secrets, configuration files, SSH keys, cloud tokens, browser data, or project files.

  • Credential theft from environment variables or local configuration files
  • Exfiltration of source code or private project data
  • Backdoor installation through setup steps or helper scripts
  • Hidden network calls to attacker-controlled servers
  • Agent behavior changes through poisoned instructions or memory files

Earlier ToxicSkills research showed the ecosystem was already exposed

The new scanner-evasion study builds on a wider concern around public skill marketplaces. Snykโ€™s ToxicSkills research scanned 3,984 skills from ClawHub and skills.sh and found that 1,467 skills had at least one security flaw.

Snyk also reported 534 skills with critical issues and 76 confirmed malicious payloads involving credential theft, backdoors, and data exfiltration. That earlier work showed that malicious and unsafe skills were not only theoretical.

Overview of the Structural Obfuscation workflow (Source – Arxiv)

OWASP has also started tracking the problem as an agentic skills security issue. Its Malicious Skills entry warns that attackers can publish skills containing credential stealers, reverse shells, backdoors, or social engineering instructions embedded in skill files.

What SkillDetonate changes

The researchers behind the SkillCloak study also proposed a defense called SkillDetonate. Instead of judging a skill only by its visible files, SkillDetonate runs the skill in a sandbox and watches what happens across files, processes, agent context, and network operations.

The paper says SkillDetonate detected 97% of attacks with a 2% false-positive rate and sustained 87% detection on real-world malicious skills. That result suggests behavior-based testing can catch many payloads that static review misses.

This does not make static scanning useless. It means static scanning should sit inside a broader defense model that also includes sandboxing, permission limits, network monitoring, and approval gates for risky actions.

Defense methodWhat it checksMain limitation
Static scanningVisible skill files before installationCan miss self-extracting or runtime payloads
LLM-as-judge reviewText and code risk signalsCan be fooled by rewritten or hidden behavior
Sandbox executionRuntime file, process, and network behaviorNeeds controlled test environments and good policy rules
Permission isolationWhat the agent and skill can accessCan break workflows if configured too tightly

What developers should do before installing agent skills

Developers should treat unfamiliar skills like untrusted software packages. That means reviewing the files, checking the source, limiting permissions, and testing the skill in an isolated environment before letting it touch a real project.

Overview of SKILLDETONATE (Source – Arxiv)

The OWASP guidance says malicious skills can gain access to API keys, SSH credentials, wallet files, browser data, and shell when they execute with the host agentโ€™s permissions. This makes least-privilege design essential for teams using coding agents.

  1. Install skills only from trusted sources and known maintainers.
  2. Review SKILL.md files, scripts, setup steps, and external references before use.
  3. Run new skills in a disposable container or virtual machine first.
  4. Block network access unless the skill clearly needs it.
  5. Keep secrets, SSH keys, wallets, and production credentials outside agent-accessible folders.
  6. Watch for skills that fetch remote instructions or execute downloaded content.
  7. Log file access, process execution, and outbound connections during agent runs.

Why static scanning is not enough anymore

Agent skills combine code, natural-language instructions, references, assets, and runtime behavior. That makes them harder to vet than a simple script because the agent may decide when and how to load different parts of the package.

The open skills format supports portable, version-controlled workflows that agents load on demand. That same portability means risky skills can move quickly across tools, teams, and marketplaces if organizations do not add security checks.

Snykโ€™s ToxicSkills report reached a similar conclusion from marketplace data: agent skills form a software supply chain and need security controls comparable to package managers, container registries, and developer plugins.

How teams can reduce agent skill malware risk

Organizations using Claude Code, Codex, Cursor, OpenClaw, or other skill-compatible agents should create a clear policy for third-party skills. The policy should define which skills users can install, where they can run, what data they can access, and who approves changes.

Teams should also build an internal allowlist for approved skills and store reviewed versions in a private repository. This reduces the risk of developers installing a newer malicious version from a public source or trusting a lookalike package.

  • Create an approved internal skill registry.
  • Require review for skills with scripts, setup commands, or network access.
  • Use containers or virtual machines for untrusted skill testing.
  • Run agents with project-scoped credentials instead of broad user credentials.
  • Separate production secrets from development agent workspaces.
  • Monitor outbound connections from agent processes.
  • Revoke and rotate credentials after any suspicious skill execution.

The larger lesson is clear: agent skills make AI coding assistants more useful, but they also create a new malware delivery path. As tools like Claude Code and OpenAI Codex gain more access to developer systems, security teams must inspect not only what a skill says, but what it does when the agent runs it.

FAQ

What is agent skill malware?

Agent skill malware is a malicious skill package designed to abuse the permissions of an AI agent. It may steal credentials, read private files, exfiltrate source code, install backdoors, or change agent behavior through hidden instructions or scripts.

What did the SkillCloak study find?

The SkillCloak study found that attackers can modify malicious agent skills so they bypass existing scanners while keeping the harmful behavior intact. Self-extracting skill packing bypassed all eight tested scanners more than 90% of the time.

Why are Claude Code and OpenAI Codex mentioned in this research?

Claude Code and OpenAI Codex support skill-based workflows, which means they can load packages that include instructions, resources, and optional scripts. If a user installs an untrusted skill, the agent may expose files, credentials, or project data to malicious behavior.

What is SkillDetonate?

SkillDetonate is a behavior-based runtime auditor proposed by the researchers. It runs skills in a sandbox and watches file access, process activity, agent context, and network behavior to detect malicious effects that static scanners may miss.

How can developers reduce the risk of malicious agent skills?

Developers should install skills only from trusted sources, review SKILL.md files and scripts, run unfamiliar skills in containers or virtual machines, limit network access, keep secrets outside agent-accessible folders, and monitor file and network activity during agent runs.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages