A team of security researchers built a tool called SkillCloak that disguises malicious agent skills well enough to defeat every major automated scanner, then proved the disguised malware still works perfectly when loaded by real coding agents. The results, published in a paper on arXiv, tested over 1,600 real malicious skills pulled from the wild against eight widely used scanners, according to Cyber Security News.
The evasion rates are stark. The more effective technique, called Self-Extracting Skill Packing, defeated every scanner examined more than 90% of the time. A simpler approach called Structural Obfuscation still fooled most tools over 80% of the time.
How the Evasion Works
Agent skills function like plugins: small add-on packages containing instructions, scripts, and supporting files that give coding agents new capabilities. One marketplace listed more than 40,000 skills within months of the format’s debut in late 2025. A skill runs with the same access as the agent that loads it, reaching a developer’s files, saved passwords, SSH keys, and connected accounts.
The researchers identified two primary evasion techniques. Structural Obfuscation rewrites suspicious commands, web addresses, and references to credentials into forms that mean the same thing to a computer but look harmless to a scanner. Self-Extracting Skill Packing is more aggressive: it hides the malicious payload in an ignored folder or a scrambled data block, then rebuilds it only when the AI agent actually runs the skill. Since the scanner never encounters the real payload during its review, it has almost nothing to flag.
The critical finding: disguising the malware did not break it. When the researchers ran the cloaked skills through real coding agents, the malicious code executed exactly as intended, targeting SSH keys, browser passwords, and cryptocurrency wallets.
The Detection Gap
The results expose a structural weakness in current security tooling. Scanners evaluate skills by how they look on the shelf, not by what they actually do once installed. Static analysis catches obvious red flags like hardcoded IP addresses or known malicious patterns. It misses payloads that reconstruct themselves at runtime.
The researchers also built a companion tool called SkillDetonate that runs skills in a controlled environment to observe their actual behavior. The implication for teams deploying coding agents is direct: installation-time scanning alone is insufficient. Runtime monitoring, sandboxed execution, and behavioral analysis are the minimum viable defense against agent skill supply chain attacks.
Scale of Exposure
The attack surface is large and growing. Skills grant deep access to developer machines and cloud infrastructure by design. Attackers have already exploited this access to steal browser credentials, SSH keys, and cryptocurrency wallet data through skills disguised as helpful tools, according to Cyber Security News. The marketplace model that makes skills easy to share also makes them easy to weaponize, and current scanning infrastructure cannot keep pace with the evasion techniques documented in this research.