Researchers at Hong Kong University of Science and Technology have demonstrated that malicious skills designed for AI coding agents can evade detection by commercial static scanners using straightforward obfuscation techniques. The study, presented as "SkillCloak," reveals that threat actors can employ self-extracting packing methods to bypass security tools at rates exceeding 90%.

AI coding agents rely on extensible skill modules to expand functionality. These skills function similarly to plugins and can execute arbitrary code during agent operations. Attackers have begun weaponizing this architecture by injecting malicious skills that remain hidden from security scanning mechanisms.

The SkillCloak approach uses simple code transformations to obscure malicious intent while preserving functionality. The researchers tested their evasion techniques against multiple commercial static scanners. Their most effective variant evaded detection in over 90% of test cases, indicating a substantial gap between what security tools detect and what actually runs on systems.

The attack flow works because static scanners typically analyze code structure and patterns at rest. Once packaged through self-extracting mechanisms, malicious skills unpack at runtime, bypassing pre-execution analysis entirely. The obfuscation occurs before detection tools can inspect the code's true purpose.

The research team developed a runtime checker to address this detection gap. This tool monitors skill behavior during execution rather than before it, catching most evasion attempts that fool static analysis. Runtime monitoring provides visibility into what skills actually do, not just what they claim to do.

Organizations deploying AI coding agents face a new threat vector. Malicious skills packaged with obfuscation can install backdoors, exfiltrate data, or compromise development environments. The attack requires minimal technical sophistication from threat actors, yet defeats existing security mechanisms.

The implications extend beyond individual deployments. Compromised AI agents operating within enterprise development pipelines could inject vulnerabilities into production code at