Developers who build with AI coding agents grab capabilities off public marketplaces the same way they grab packages from npm or PyPI. The add-ons are called agent skills. Each one is a little bundle of plain-English instructions, scripts, and files that a tool such as Claude Code or OpenAI Codex loads when it needs a new trick. One marketplace filled up with more than 40,000 listed skills within months of the format showing up in late 2025. Most came from the community, and nobody vetted them.

That convenience comes with an old, familiar bill. Once a skill installs, it runs with the agent’s privileges. Those privileges reach a developer’s files, credentials, package managers, terminals, and outside services. A poisoned bundle can point all of that toward stealing credentials, siphoning source code, or dropping a backdoor. The dangerous part might sit right in the instructions, hide inside a bundled script, or spread across both.
This has already happened. A campaign called ClawHavoc planted more than 300 malicious skills on a single marketplace. The instruction files told the agent to fetch and run an information stealer, dressed up as a routine setup step. Then the stealer went to work on browser credentials, keychain passwords, SSH keys, and cryptocurrency wallets.
The defense so far leans on skill scanners. These tools check a bundle at install time and hand back a block-or-allow verdict. Some run regex, YARA, or AST rules across the files. Others feed the readable contents to a language model and ask what it thinks. A few do a bit of each.
Researchers at the Hong Kong University of Science and Technology wanted to know how much those scanners can take. They built a system called SkillCloak to find out. SkillCloak keeps a skill’s bad behavior fully working and changes only its looks. It has two tricks. The first rewrites suspicious command tokens, credential paths, and URLs into equivalent forms that the agent quietly reassembles at runtime. The second stuffs the real payload into a directory the scanner skips, ships a clean-looking cover, and rebuilds the original once the agent runs the skill.
The experiment ran a wide set of scanners against 1,613 genuine malicious skills pulled from a marketplace archive. Every sample carried a finding that some detector already flagged, which gave each evasion a real signal to erase.
The packing trick sailed past every scanner more than 90% of the time. The rewriting trick cleared more than 80% of most static scanners. On one hybrid tool that mixes rules with a language model, it hit 96%, and the cloaked skills kept working fine when production agents ran them, finishing the same jobs as the originals.
The same team came back with a different kind of defense. Their tool, SkillDetonate, runs a suspicious skill inside a sandbox and watches what it does at the operating-system boundary. Credential theft has to read something sensitive and send it somewhere. A dropper has to write or run a payload. Those moves show up as system calls even when the bundle that set them off looks perfectly innocent.
Two ideas make this work for agent skills. On-demand closure lift catches instructions a skill writes for itself mid-run and feeds them back into the same session, so multi-stage payloads that appear only after a decode step still run and get seen. Marker-based taint analysis drops a label at every sensitive read and follows it across files, processes, network calls, and the agent’s own language context, which keeps encoding steps like base64 and gzip covered.
On a synthetic benchmark of injected payloads, SkillDetonate caught 97% of attacks, and detection stayed steady across original, obfuscated, and packed forms. It managed that with a false-positive rate near 2%, low enough for a gate that runs once at install. On real-world malicious skills, the tool held at 87% and stayed steady under SkillCloak’s tricks. The best static scanner in the same test fell from about 99% to roughly 10% the moment the rewriting trick came into play.
One limit runs under the whole thing. SkillDetonate only sees the behavior an agent decides to run. A payload waiting behind an instruction the agent skips never fires, so nothing surfaces for the sandbox to spot. A clever attacker can even use prompt injection to nudge the agent off the malicious path during analysis. This is the top reason wild skills get missed, and it points straight at the next round of work.
The behavioral approach asks for more time. Each skill needs about two and a half minutes to detonate, several times longer than a static scan. For a gate that runs once at install, that price buys coverage the byte-level tools give away.
The bigger story rhymes with decades of malware defense. Byte-level inspection loses to attackers who keep the behavior and swap the wrapping, and the answer has long been to watch what code does when it runs. Agent skills carry that same fight into a place where an English sentence can be the weapon, and where the thing carrying out the attack is a model you can sometimes talk out of it.

