Security researchers at the Hong Kong University of Science and Technology have published findings on a new evasion technique, dubbed SkillCloak, that allows malicious add-on skills for AI coding agents to slip past static analysis scanners with high reliability.
The study focuses on the growing ecosystem of installable “skills” or plugins that extend AI coding agents with additional capabilities. As these agents become more widely adopted in developer workflows, third-party skill packages represent an expanding attack surface. Security tooling has begun emerging to scan such packages for malicious behavior, but the researchers found that surface-level obfuscation is enough to undermine those defenses.
How SkillCloak Works
The core of the technique involves self-extracting packing, a method that repackages malicious skill code so that static scanners cannot identify the payload at rest. The malware remains fully functional at runtime while appearing benign to tools that inspect code without executing it. According to the researchers, their most effective variant evaded every scanner they tested in more than 90% of cases.
Detection and Defenses
The same research team developed a runtime-based detection approach designed to catch the evasion attempts that static scanners miss. By analyzing skill behavior during execution rather than relying solely on pre-execution inspection, the runtime checker was able to identify the majority of SkillCloak-packed samples.
The findings highlight a structural weakness in current security practices around AI agent ecosystems. Static scanning alone is insufficient when attackers can trivially repack malicious payloads, and the research suggests that defenders need to incorporate dynamic or behavioral analysis into skill vetting pipelines.
The disclosure is a timely reminder that as AI coding assistants see broader enterprise adoption, the security of their extension mechanisms deserves the same scrutiny applied to traditional software package repositories.
