SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
Summary
Hide ▲
Show ▼
SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and terminal access to hidden payloads. The same research introduces SKILLDETONATE, a runtime checker that inspects behavior instead of appearance and catches most disguised skills the scanners miss. Tests across eight scanners and 1,613 malicious skills from ClawHub found the packing trick evaded detection more than 90% of the time. The result shifts trust from install-time file review to runtime observation.
Related Happenings
AI coding assistants GhostApproval symlink security flaw
Vulnerability
H score22
First: 09.07.2026 07:27
Last: 09.07.2026 07:27
Sources 1
About this happening:
A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
AI coding assistants GhostApproval symlink security flaw
VulnerabilityAbout this happening: A **July 8** disclosure identified **GhostApproval**, a **symlink** flaw in **six AI coding assistants** that can redirect approved writes into **~/.ssh/authorized_keys** or **~/....
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive Guidance
H score28
First: 08.07.2026 20:02
Last: 08.07.2026 20:02
Sources 1
About this happening:
AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
Defensive guidance for splitting behavioral detections around AI coding agents on Windows endpoints
Defensive GuidanceAbout this happening: AI coding agents on **Windows endpoints** are triggering attacker-style detections, forcing defenders to separate benign automation from real **credential theft** risk. A **June 2...
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
H score3
First: 08.07.2026 18:07
Last: 08.07.2026 18:07
Sources 1
About this happening:
Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical AnalysisAbout this happening: Researchers demonstrated **HalluSquatting**, an indirect prompt-injection technique that can push **AI coding assistants** to fetch attacker-controlled resources and execute code....
Skills.sh scanner blind spot for externally linked AI agent skills
Security Tool/Service
H score22
First: 23.06.2026 18:16
Last: 23.06.2026 18:16
Sources 1
About this happening:
Security scanners for **AI agent skills**, including those wired into **skills.sh**, cleared a fake skill that hid its real payload behind **stitch-design.ai**, exposing a vetting...
Skills.sh scanner blind spot for externally linked AI agent skills
Security Tool/ServiceAbout this happening: Security scanners for **AI agent skills**, including those wired into **skills.sh**, cleared a fake skill that hid its real payload behind **stitch-design.ai**, exposing a vetting...
JustAskJacky fake AI assistant malware campaign
Campaign
H score33
First: 04.06.2026 17:00
Last: 04.06.2026 17:00
Sources 1
About this happening:
The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
JustAskJacky fake AI assistant malware campaign
CampaignAbout this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
Timeline
-
06.07.2026 09:33 2 articles · 3d ago
HKUST researchers show malicious AI agent skills can evade static scanners
Technical Analysis UpdateResearchers at the Hong Kong University of Science and Technology showed that malicious AI coding-agent skills can evade static scanners by using SKILLCLOAK to rewrite giveaway bytes, split flagged commands across newlines, or hide payloads in skipped directories such as .git/ while preserving execution. The same work introduces SKILLDETONATE, a runtime sandbox checker that watches file access and data flow instead of file appearance; the report says the packing trick evaded every tested scanner more than 90% of the time across eight scanners and 1,613 malicious ClawHub skills, while SKILLDETONATE caught 97% of attacks in controlled tests and 87% of real-world malicious skills.
Show sources
- SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing — thehackernews.com — 06.07.2026 09:33
- SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing — thehackernews.com — 06.07.2026 09:33