Agent Skill Malware Targets Claude Code and OpenAI Codex With Scanner-Evasion Techniques

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new class of malicious software is quietly slipping past the security tools meant to protect popular AI coding assistants.

Researchers have found that malware hidden inside “agent skills,” small add-on packages used by tools like Claude Code and OpenAI Codex, can be reshaped to sail through automated scanners while keeping its harmful functions fully intact.

Agent skills work like plugins. They let AI coding agents pick up new abilities on demand, usually through a folder containing plain-language instructions, scripts, and supporting files.

Since these packages are easy to write and share, they have spread fast, with one marketplace listing more than 40,000 skills within months of the format’s debut in late 2025.

That growth has created an obvious target. A skill runs with the same access as the agent that loads it, meaning it can reach a developer’s files, saved passwords, and connected accounts.

Attackers have already used this access to steal browser credentials, SSH keys, and even cryptocurrency wallet data through booby-trapped skills disguised as helpful tools.

Researchers from Arxiv said in a report shared with Cyber Security News (CSN) that they detailed how they tested this threat directly, building a tool called SkillCloak to see whether existing skill scanners could catch cleverly disguised malware.

The results were troubling: across eight widely used scanners and over 1,600 real malicious skills pulled from the wild, the disguised versions slipped through almost every single time.

Overview of SKILLCLOAK and SKILLDETONATE (Source – Arxiv)

The team also found that hiding malware did not break it. When they ran the disguised skills through real coding agents, the malicious code still worked exactly as intended, meaning attackers lose nothing by cloaking their payloads.

Agent Skill Malware Targets Claude Code and OpenAI Codex

The evasion technique relies on two main tricks. The first, called Structural Obfuscation, takes obvious red flags such as suspicious commands, web addresses, or references to passwords and rewrites them into forms that mean the same thing to a computer but look harmless to a scanner.

The second and more effective trick is called Self-Extracting Skill Packing. Instead of just disguising the malicious code, this method hides it somewhere the scanner never looks, such as an ignored folder or a scrambled data block, and only rebuilds it once the AI agent actually runs the skill.

Overview of the Structural Obfuscation workflow (Source – Arxiv)

Since the scanner never sees the real payload during its review, it has almost nothing to flag.

Testing showed this packing trick defeated every scanner examined more than 90 percent of the time, while the disguise trick alone still fooled most tools over 80 percent of the time.

That gap exposes a basic weakness: today’s scanners mostly judge a skill by how it looks on the shelf, not by what it actually does once installed.

A Real-World Warning Sign

This is not a purely theoretical problem. A campaign known as ClawHavoc planted hundreds of malicious skills on a public marketplace, with some reports counting over 300 poisoned packages and others putting the number even higher across the same ecosystem.

Victims who installed these skills unknowingly ran an information stealer that quietly grabbed saved logins, keychain passwords, and wallet files.

Security researchers who examined similar incidents have echoed the same advice: never let an agent auto-run setup steps from a skill without reading them first, and treat unfamiliar skills the way you would an unknown package pulled from the internet.

Overview of SKILLDETONATE (Source – Arxiv)

To close the gap left by traditional scanners, the researchers behind this study also built a tool called SkillDetonate.

Rather than judging a skill by its appearance, it runs the skill in a sandbox and watches what actually happens, tracking file access, network calls, and data movement in real time.

In testing, this behavior-based approach caught the vast majority of malicious skills, even the disguised ones that had slipped past every static scanner before it.

The broader lesson for anyone using AI coding tools is simple. Checking a skill’s code before installing it still matters, but that alone is not enough anymore.

Running unfamiliar skills in an isolated environment first, watching for unusual network activity, and limiting what folders and credentials an agent can touch are now essential habits rather than optional precautions.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.