Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware

📅 2026-07-02
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the vulnerability of static skill scanners to evasion by malicious third-party agents that exploit public marketplaces and rely on superficial syntactic features for detection. To this end, the authors propose SkillCloak, a framework that leverages structural obfuscation and self-extracting skills (SFS) to mount high-evasion, semantics-preserving attacks—achieving over 90% success rates against eight representative static scanners—and thereby exposes, for the first time, the fragility of static analysis under adversarial evasion. Building upon this insight, they further develop SkillDetonate, a dynamic auditing system that combines sandboxed execution, on-demand closure lifting, and token-based taint analysis to trace information flows at the OS boundary. This behavior-centric approach achieves 97% true positive detection at a 2% false positive rate and maintains an 87% detection rate against real-world malicious skills.
📝 Abstract
LLM coding agents increasingly rely on third-party agent skills from public marketplaces, which execute with the agent's privileges and create a software supply-chain attack surface: a malicious skill can steal credentials, exfiltrate source code, or install backdoors. Existing defenses use static skill scanners based on pattern matching or LLM-as-judge analysis, but it remains unclear whether they withstand adaptive evasions that preserve malicious behavior while changing payload appearance. This paper first presents an adversarial study of existing skill scanners through SkillCloak, a payload-preserving evasion framework that keeps the attack semantics intact while transforming their visible form. SkillCloak uses two complementary strategies: Structural Obfuscation, which rewrites visible payload indicators into semantically equivalent forms, and Self-Extracting Skill (SFS) Packing, which hides malicious components from the install-time view and restores them during agent execution. Across eight scanners and 1,613 in-the-wild malicious skills, SFS Packing bypasses every scanner at over 90%, while Structural Obfuscation bypasses over 80% on most static scanners and reaches 96% on a hybrid scanner, showing that appearance-based auditing is insufficient. Motivated by this finding, we propose SkillDetonate, a behavior-centric runtime auditor that executes skills in a sandbox and detects malicious effects through OS-boundary information-flow evidence rather than install-time appearance. SkillDetonate combines on-demand closure lift, which observes instructions materialized during execution, with marker-based taint analysis, which tracks sensitive-data flows across the agent context, files, processes, and network operations. The results show that SkillDetonate detects 97% of attacks at a 2% false-positive rate and sustains 87% detection on real-world malicious skills.
Problem

Research questions and friction points this paper is trying to address.

agent skill malware
scanner evasion
software supply-chain security
malicious payload obfuscation
static analysis limitations
Innovation

Methods, ideas, or system contributions that make the work stand out.

SkillCloak
SkillDetonate
adversarial evasion
runtime auditing
information-flow tracking