ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills

AI skill scanners from ClawHub, Cisco, and Vercel’s skills. The platform can be bypassed with minimal effort, allowing malicious skills to be uploaded and distributed through public marketplaces.

The findings highlight a growing supply chain risk in agent ecosystems, where skills serve as reusable components that can execute code and influence model behavior.

The Trail of Bits research shows that attackers can evade detection mechanisms using simple obfuscation and packaging tricks rather than advanced exploitation techniques.

In one case targeting ClawHub, researchers inserted over 100,000 newline characters to push malicious code beyond the scanner’s inspection window.

This caused truncation in the analysis pipeline, allowing harmful logic to pass undetected while also confusing integrated scanning engines such as VirusTotal’s Code Insight.

ClawHub, Cisco, Vercel Skill Checks Bypassed

Further testing against Cisco’s open-source skill-scanner and Vercel’s skills.SH integrations revealed additional weaknesses. These platforms rely on a mix of static analysis, pattern matching, and LLM-based inspection.

However, Trail of Bits researchers found these defenses can be bypassed when malicious content is hidden in less obvious formats, such as compiled Python bytecode (.pyc) or archive-based files like..docx.

One demonstrated attack involved a seemingly benign text-formatting skill that included precompiled Python bytecode.

While the visible source code appeared harmless, the bytecode secretly extracted environment variables, enabling potential data exfiltration.

Because scanners focused primarily on readable source files, the malicious payload remained undetected and was classified as safe.

Another effective technique used indirect execution paths. A skill instructed the AI agent to retrieve operational logic from a document containing a hidden script.

This method bypassed both signature-based detection and LLM reasoning, as the malicious behavior was not directly exposed in the primary skill definition.

Trail of Bits Researchers also successfully used prompt injection to manipulate LLM-based scanners. In one example, a skill disguised a malicious package registry configuration as a standard enterprise setup.

By framing the behavior as a legitimate corporate requirement, the scanner downgraded the risk to low severity. It approved the skill, despite its potential to redirect dependency installations to attacker-controlled infrastructure.

These bypasses underscore fundamental limitations in current scanning approaches. Static analysis struggles with complex or hidden file formats. At the same time, LLM-based systems can be misled by persuasive or contextually framed instructions.

Additionally, constraints such as limited context windows and selective file inspection create blind spots that attackers can exploit repeatedly.

The issue is compounded by the rapid growth of public skill marketplaces, where users can install third-party skills with minimal verification.

Unlike curated environments, these platforms often prioritize usability and speed over rigorous security controls, increasing exposure to malicious uploads.

Trail of Bits researchers conclude that automated scanning alone is insufficient to secure AI skill ecosystems.

They recommend adopting traditional supply chain security practices, including curated repositories, strict access controls, and version pinning.

Until stronger safeguards are developed, organizations are advised to treat all public AI skills as untrusted code and avoid deploying them in sensitive environments.

The post ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills appeared first on Cyber Security News.