Agent Skill Malware Can Bypass Scanners Used to Protect Claude Code and OpenAI Codex
New research warns that malicious agent skills can be disguised to bypass scanners used to protect AI coding assistants, including Claude Code and OpenAI Codex. The study shows that attackers can change how a harmful skill looks while keeping its malicious behavior intact.
The findings come from the paper Cloak and Detonate, which tested a framework called SkillCloak against eight skill scanners and 1,613 real malicious skills. The researchers found that self-extracting skill packing bypassed every scanner more than 90% of the time.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk matters because agent skills can package instructions, scripts, and resources that agents load during work. Anthropic says Agent Skills can be created for Claude Code and uploaded through Claudeโs products, while OpenAI says Codex skills can extend Codex with task-specific workflows.
What are agent skills?
Agent skills are reusable packages that give an AI agent a specific capability or workflow. The open standard describes a skill as a folder that includes a SKILL.md file with metadata and instructions, plus optional scripts, references, assets, and other supporting files.
The Agent Skills standard describes the format as a lightweight way to extend agents with specialized knowledge and repeatable workflows. That design helps developers move faster, but it also creates a new supply chain risk when users install skills from public marketplaces or unknown repositories.
A skill can look like a small productivity add-on, but it may run with broad access through the agent that loads it. If the agent can read local files, run terminal commands, use credentials, or connect to APIs, a malicious skill can try to abuse that same access.
| Term | Meaning | Security concern |
|---|---|---|
| Agent skill | A folder containing instructions, resources, and optional scripts for an AI agent | Can inherit the permissions available to the agent |
| SKILL.md | The main instruction and metadata file for a skill | Can hide risky instructions in natural language |
| Static scanner | A tool that reviews a skill before execution | May miss payloads that appear only at runtime |
| Runtime auditor | A tool that watches behavior during execution | Can detect suspicious file, process, and network activity |
SkillCloak shows how scanner evasion works
SkillCloak uses two evasion strategies. The first is Structural Obfuscation, which rewrites visible indicators such as suspicious commands, URLs, or credential references into different forms that preserve the same behavior.
The second method is Self-Extracting Skill Packing. Instead of leaving the payload visible during installation, the skill hides the harmful component and rebuilds it only when the agent runs the skill. The arXiv paper says this approach bypassed all eight tested scanners at rates above 90%.
This exposes a weak point in appearance-based scanning. A scanner may approve a package because the visible files look safe, while the agent later reconstructs or loads the dangerous parts during execution.
Why Claude Code and OpenAI Codex users should care
Claude Code and Codex both support skill-based workflows, which makes the research relevant to modern AI coding environments. These tools can help developers automate file edits, run tests, generate code, and follow repeatable procedures across projects.
Anthropicโs Claude skills documentation says custom skills can package domain expertise and organizational knowledge. OpenAIโs Codex skills documentation says a skill can include instructions, resources, and optional scripts so Codex can follow a workflow reliably.

Those capabilities become risky when the source is untrusted. A malicious skill can use the agentโs own permissions to reach source code, secrets, configuration files, SSH keys, cloud tokens, browser data, or project files.
- Credential theft from environment variables or local configuration files
- Exfiltration of source code or private project data
- Backdoor installation through setup steps or helper scripts
- Hidden network calls to attacker-controlled servers
- Agent behavior changes through poisoned instructions or memory files
Earlier ToxicSkills research showed the ecosystem was already exposed
The new scanner-evasion study builds on a wider concern around public skill marketplaces. Snykโs ToxicSkills research scanned 3,984 skills from ClawHub and skills.sh and found that 1,467 skills had at least one security flaw.
Snyk also reported 534 skills with critical issues and 76 confirmed malicious payloads involving credential theft, backdoors, and data exfiltration. That earlier work showed that malicious and unsafe skills were not only theoretical.

OWASP has also started tracking the problem as an agentic skills security issue. Its Malicious Skills entry warns that attackers can publish skills containing credential stealers, reverse shells, backdoors, or social engineering instructions embedded in skill files.
What SkillDetonate changes
The researchers behind the SkillCloak study also proposed a defense called SkillDetonate. Instead of judging a skill only by its visible files, SkillDetonate runs the skill in a sandbox and watches what happens across files, processes, agent context, and network operations.
The paper says SkillDetonate detected 97% of attacks with a 2% false-positive rate and sustained 87% detection on real-world malicious skills. That result suggests behavior-based testing can catch many payloads that static review misses.
This does not make static scanning useless. It means static scanning should sit inside a broader defense model that also includes sandboxing, permission limits, network monitoring, and approval gates for risky actions.
| Defense method | What it checks | Main limitation |
|---|---|---|
| Static scanning | Visible skill files before installation | Can miss self-extracting or runtime payloads |
| LLM-as-judge review | Text and code risk signals | Can be fooled by rewritten or hidden behavior |
| Sandbox execution | Runtime file, process, and network behavior | Needs controlled test environments and good policy rules |
| Permission isolation | What the agent and skill can access | Can break workflows if configured too tightly |
What developers should do before installing agent skills
Developers should treat unfamiliar skills like untrusted software packages. That means reviewing the files, checking the source, limiting permissions, and testing the skill in an isolated environment before letting it touch a real project.

The OWASP guidance says malicious skills can gain access to API keys, SSH credentials, wallet files, browser data, and shell when they execute with the host agentโs permissions. This makes least-privilege design essential for teams using coding agents.
- Install skills only from trusted sources and known maintainers.
- Review SKILL.md files, scripts, setup steps, and external references before use.
- Run new skills in a disposable container or virtual machine first.
- Block network access unless the skill clearly needs it.
- Keep secrets, SSH keys, wallets, and production credentials outside agent-accessible folders.
- Watch for skills that fetch remote instructions or execute downloaded content.
- Log file access, process execution, and outbound connections during agent runs.
Why static scanning is not enough anymore
Agent skills combine code, natural-language instructions, references, assets, and runtime behavior. That makes them harder to vet than a simple script because the agent may decide when and how to load different parts of the package.
The open skills format supports portable, version-controlled workflows that agents load on demand. That same portability means risky skills can move quickly across tools, teams, and marketplaces if organizations do not add security checks.
Snykโs ToxicSkills report reached a similar conclusion from marketplace data: agent skills form a software supply chain and need security controls comparable to package managers, container registries, and developer plugins.
How teams can reduce agent skill malware risk
Organizations using Claude Code, Codex, Cursor, OpenClaw, or other skill-compatible agents should create a clear policy for third-party skills. The policy should define which skills users can install, where they can run, what data they can access, and who approves changes.
Teams should also build an internal allowlist for approved skills and store reviewed versions in a private repository. This reduces the risk of developers installing a newer malicious version from a public source or trusting a lookalike package.
- Create an approved internal skill registry.
- Require review for skills with scripts, setup commands, or network access.
- Use containers or virtual machines for untrusted skill testing.
- Run agents with project-scoped credentials instead of broad user credentials.
- Separate production secrets from development agent workspaces.
- Monitor outbound connections from agent processes.
- Revoke and rotate credentials after any suspicious skill execution.
The larger lesson is clear: agent skills make AI coding assistants more useful, but they also create a new malware delivery path. As tools like Claude Code and OpenAI Codex gain more access to developer systems, security teams must inspect not only what a skill says, but what it does when the agent runs it.
FAQ
Agent skill malware is a malicious skill package designed to abuse the permissions of an AI agent. It may steal credentials, read private files, exfiltrate source code, install backdoors, or change agent behavior through hidden instructions or scripts.
The SkillCloak study found that attackers can modify malicious agent skills so they bypass existing scanners while keeping the harmful behavior intact. Self-extracting skill packing bypassed all eight tested scanners more than 90% of the time.
Claude Code and OpenAI Codex support skill-based workflows, which means they can load packages that include instructions, resources, and optional scripts. If a user installs an untrusted skill, the agent may expose files, credentials, or project data to malicious behavior.
SkillDetonate is a behavior-based runtime auditor proposed by the researchers. It runs skills in a sandbox and watches file access, process activity, agent context, and network behavior to detect malicious effects that static scanners may miss.
Developers should install skills only from trusted sources, review SKILL.md files and scripts, run unfamiliar skills in containers or virtual machines, limit network access, keep secrets outside agent-accessible folders, and monitor file and network activity during agent runs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages