Agent Skill Malware Evades AI Coding Assistant Defenses
Malware disguised as 'agent skills' for AI coding assistants like Claude Code and OpenAI Codex can bypass security scanners using novel evasion techniques.

A new wave of malware is exploiting the burgeoning ecosystem of AI coding assistants by disguising itself as legitimate "agent skills." These small add-on packages, which extend the capabilities of tools like Claude Code and OpenAI Codex, are being weaponized to bypass security scanners and deliver malicious payloads. Researchers have developed a tool called SkillCloak to demonstrate how techniques such as Structural Obfuscation and Self-Extracting Skill Packing can effectively evade detection.
Agent skills function similarly to plugins, allowing AI coding agents to acquire new functionalities on demand. They typically consist of plain-language instructions, scripts, and supporting files, making them easy to create and distribute. The rapid growth of this format, with one marketplace reportedly listing over 40,000 skills within months of its debut in late 2025, has created a significant attack surface. Because a skill runs with the same permissions as the AI agent that loads it, malicious skills can gain access to a developer's sensitive files, saved passwords, and connected accounts.
Attackers have already capitalized on this vulnerability, using booby-trapped skills to steal browser credentials, SSH keys, and cryptocurrency wallet data. A recent report from researchers detailed their findings after testing this threat directly. They found that disguised malicious skills could slip through eight widely used scanners and over 1,600 real-world malicious skills pulled from the wild almost every time. Crucially, the researchers confirmed that hiding the malware did not impair its functionality; the disguised skills still executed their malicious code as intended when run by AI agents.
The primary evasion technique, Structural Obfuscation, involves rewriting suspicious elements like commands, URLs, or password references into forms that are functionally equivalent for a computer but appear benign to automated scanners. A more potent method, Self-Extracting Skill Packing, goes a step further by hiding the malicious code in an area scanners typically ignore, such as an obscure folder or a scrambled data block. The malicious code is only reassembled and executed when the AI agent actually runs the skill, meaning the scanner never encounters the actual payload during its review.
This packing technique proved highly effective, defeating every examined scanner more than 90 percent of the time. Structural Obfuscation alone still fooled most tools over 80 percent of the time. This highlights a fundamental weakness in current security solutions: they primarily assess a skill based on its apparent structure rather than its actual behavior once deployed.
This threat is not merely theoretical. A campaign known as ClawHavoc has already planted hundreds of malicious skills on a public marketplace, with some reports indicating over 300 poisoned packages. Victims who installed these skills unknowingly ran an information stealer that silently exfiltrated saved logins, keychain passwords, and wallet files. Security experts advise users to never allow AI agents to auto-run setup steps from unfamiliar skills without first reviewing them, and to treat such packages with the same caution as any unknown file downloaded from the internet.
To address this gap, the researchers developed a behavior-based detection tool called SkillDetonate. Instead of relying on static analysis, SkillDetonate runs skills in a sandbox environment, monitoring file access, network calls, and data movement in real time. This approach successfully identified the vast majority of malicious skills, including those that had bypassed all previous static scanners. The broader implication for users of AI coding tools is clear: while code review remains important, it is no longer sufficient. Essential habits now include running unfamiliar skills in isolated environments, monitoring for unusual network activity, and strictly limiting the access and credentials an AI agent can utilize.