Researchers Show AI Coding Agent 'Skills' Can Hide Malware From Every Scanner Tested

A Hong Kong team's packing trick beat static scanners more than 90% of the time. Their own runtime checker caught most of it.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a modern developer workstation at dusk, two large monitors glowing with abstract code, a translucent s
Share

Key points

  • Researchers at the Hong Kong University of Science and Technology showed that malicious add-on "skills" for AI coding agents can slip past every scanner they tested.
  • Their strongest evasion technique, which they call SkillCloak, worked more than 90% of the time against static scanning tools.
  • The same team built a runtime checker that spots most of the hidden malware once it actually runs.
  • The finding raises fresh questions about how software companies vet third-party plug-ins for AI assistants used by developers.

AI coding agents are helpers that write and edit computer code for programmers. Think of them as a very fast junior developer sitting inside a software project. To make these helpers more useful, companies let outsiders publish "skills", small add-ons that plug new abilities into the agent, a bit like browser extensions plug into Chrome.

That marketplace model has an obvious problem. If anyone can publish a skill, someone will publish a bad one.

So the industry built scanners to check skills before they run, looking through the code for known signs of trouble. A new study says those scanners are easy to fool.

Researchers at the Hong Kong University of Science and Technology, first reported by The Hacker News, tested a technique they call SkillCloak. It repackages a malicious skill so the harmful instructions only unpack themselves at the moment the skill is loaded by the AI agent. The scanner, looking at the file sitting on disk, sees something that appears harmless.

In their tests, SkillCloak got past every scanner they threw it at more than 90% of the time. The malware still worked once the skill was live.

Why does this matter to people who don't write code?

Because the software your bank, your hospital and your favourite apps depend on is increasingly built with help from these AI assistants. A poisoned skill inside a developer's tool can quietly steal source code, secrets, or the keys that unlock company servers. The damage lands on customers weeks or months later, in the form of a breach.

The technique itself is not new in spirit. Malware authors have hidden their code inside self-extracting packages for decades to duck antivirus checks. What is new is that the same trick works against the fresh crop of tools built specifically to police AI skill marketplaces.

The researchers did not just point at the problem. They built a defensive tool that watches skills as they run and flags suspicious behaviour in real time. It catches most, though not all, of the packed malware their own attack produced.

That gap matters. Runtime detection means the malware has already started executing on a developer's machine before the alarm rings. Static scanning was supposed to stop it at the door.

What should developers and companies do now?

Treat every third-party AI skill the way you would treat a random browser extension from an unknown publisher: with suspicion. Install only what you need. Prefer skills from known vendors with a track record.

Security teams should assume the pre-publication scan is not the last line of defence. Watch what skills actually do once loaded: which files they read, which servers they contact, which credentials they touch.

The study also lands as regulators start paying attention to AI supply chain risk. The US executive order on AI and the EU AI Act both push providers toward stronger vetting of components. Expect that pressure to sharpen if a real-world SkillCloak-style attack shows up in the wild.

For now, the paper is a warning shot. The scanners guarding the front door of the AI skill ecosystem can be walked past. The industry has some work to do before the door is worth locking.

© 2026 Threat Vectr