A new technique for concealing malicious payloads within AI agent "skills" has exposed a significant blind spot in the security tools developers rely on to vet third-party code, according to a study reported by The Hacker News.
The method, dubbed "SkillCloak," reportedly evaded the vast majority of static analysis scanners tested in the research. The study also introduced a runtime checking approach that can secure tools like Claude Code and OpenClaw against such threats. By applying a self-extracting packer to a malicious skill, SkillCloak allows a threat to present clean, benign-looking code for inspection while hiding its true payload until runtime.
The research strikes at a foundational assumption in AI security: that the code reviewed is the code that executes. Current vetting processes for agent skills overwhelmingly depend on static analysis—examining a code package at rest before deployment. SkillCloak exploits the gap between that inspection and the moment the code actually runs, loading malicious functionality dynamically only when it executes in a live environment.
The implications extend well beyond a single compromised workstation. As AI coding agents become embedded in enterprise development workflows, skills distributed through popular marketplaces represent a serious supply-chain attack surface. A single malicious skill injected into a widely used marketplace could proliferate across numerous organizations simultaneously, compromising build pipelines, exfiltrating sensitive data, or injecting vulnerabilities into downstream software.
According to the report, the research team also built a runtime behavior analysis tool as a proof-of-concept countermeasure. This second layer of monitoring—observing what a skill actually does when it runs, rather than only examining its inert package—successfully detected most of the cloaked threats that static scanners missed.
That result points toward a two-layer security model the study argues is now necessary: static analysis as an initial filter, paired with runtime behavioral monitoring as a critical second check. But implementing that model introduces real operational friction. Runtime analysis adds latency to development cycles and requires careful calibration to avoid overwhelming teams with false-positive alerts.
Tool vendors, marketplace operators, and deploying organizations all face pressure to address the gap. Scanner providers will need to integrate dynamic analysis capabilities, while development teams must incorporate runtime vetting into their pipelines without crippling productivity. The trade-off between thoroughness and speed is emerging as the central challenge in securing the fast-growing ecosystem of AI-assisted development tools.
This article is based on initial reporting from The Hacker News. The full peer-reviewed study has not yet been independently reviewed by this publication.
據 The Hacker News 報導的一項研究指出,一種用於在人工智能代理「技能」中隱藏惡意載荷的新技術,暴露出開發者用於審查第三方代碼的安全工具存在重大盲點。
這種被稱為「SkillCloak」的方法,據報在研究中規避了絕大多數的靜態分析掃描器。該研究亦介紹了一種運行時檢查方法,能保護如 Claude Code 和 OpenClaw 等工具免受此類威脅。透過對惡意技能應用自解壓縮封裝工具,SkillCloak 使威脅能在審查時呈現乾淨、看似良性的代碼,直至運行時才隱藏其真正載荷。
該研究直指人工智能安全的一個基本假設:被審查的代碼即為執行的代碼。目前對代理技能的審查流程極度依賴靜態分析——在部署前檢查靜止的代碼包。SkillCloak 利用了此審查環節與代碼實際運行時刻之間的差距,僅在代碼於實際環境中執行時,才動態加載惡意功能。
其影響遠不止於單個被入侵的工作站。隨著人工智能編碼代理融入企業開發工作流程,透過熱門市場分發的技能構成了嚴重的供應鏈攻擊面。一個注入廣泛使用市場的惡意技能,可能同時在眾多組織間迅速擴散,危害建構管道、竊取敏感數據,或向下游軟件注入漏洞。
報告指出,研究團隊還構建了一個運行時行為分析工具,作為概念驗證的對策。這第二層監控——觀察技能運行時的實際行為,而非僅檢查其惰性封裝包——成功偵測到多數靜態掃描器遺漏的偽裝威脅。
該結果指向一項研究認為現已必要的雙層安全模型:靜態分析作為初步過濾器,搭配運行時行為監控作為關鍵的第二重檢查。但實施此模型會帶來實際的營運摩擦。運行時分析會增加開發週期的延遲,並需仔細校準,以免以誤報警報使團隊不堪重負。
工具供應商、市場營運商及部署組織都面臨著解決此差距的壓力。掃描器供應商需要整合動態分析能力,而開發團隊則必須將運行時審查融入其管道,同時避免嚴重影響生產力。在全面性與速度之間取得平衡,正成為確保快速成長的人工智能輔助開發工具生態系統安全的核心挑戰。
本文基於 The Hacker News 的初步報導。完整的同行評審研究尚未由本刊獨立審閱。
