Static scanners miss repacked agent-skill malware — runtime auditing catches it
A July 2026 study shows adaptive repacking bypasses over 90% of agent-skill scanners, and argues behavioral runtime auditing, not appearance checks, is what actually detects the malware.
What is this?
LLM coding agents increasingly install third-party agent skills — reusable bundles that package operational know-how — from public marketplaces. Those skills run with the agent’s own privileges: file access, shell, and network. That makes a malicious skill a supply-chain problem, able to steal credentials, exfiltrate source code, or drop a backdoor. The current line of defence is a static skill scanner: a tool that reads the skill before it runs and flags dangerous patterns, either by pattern matching or by asking an LLM to judge the text.
A paper published on arXiv on 2 July 2026, Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware (arXiv:2607.02357), tests whether that defence actually holds. Its answer is that appearance-based scanning is not enough — an attacker who keeps the malicious behaviour but changes how the payload looks slips past almost every scanner — and it proposes moving detection from what a skill looks like to what it does when it runs.
How it works
The study frames the problem as an adversarial one: the defender’s scanner moves first, the attacker adapts second. It builds a payload-preserving transformation framework (the authors call it SkillCloak) that leaves the attack semantics intact while rewriting its visible form, using two complementary ideas.
The first is structural obfuscation: visible indicators of a payload are rewritten into semantically equivalent forms that no longer match the scanner’s expected signatures, without changing what the skill ultimately does. The second, and more effective, is self-extracting packing: the malicious components are hidden from the install-time view a scanner inspects, and only reconstructed at agent-execution time. Because the scanner never sees the real payload, it has nothing to flag.
Evaluated across eight scanners and 1,613 in-the-wild malicious skills, the packing strategy bypassed every scanner at over 90%, and the obfuscation strategy bypassed more than 80% on most static scanners — reaching 96% against a hybrid scanner. The lesson the authors draw is structural, not incidental: any defence that reasons about a skill’s appearance at install time is inspecting the wrong thing, because appearance is exactly what an adaptive attacker can cheaply change. This mirrors related June 2026 work on undetectable, position-aware skill injection (arXiv:2606.07943), which independently found that install-time review can be evaded while behaviour is preserved.
The paper does not release a working attack toolkit as an operational weapon; it uses the evasion study to justify a defence, described next.
Why it matters
The result matters because it undercuts a control many teams are currently relying on. If your pipeline gates skill installation on a static scan — pattern rules or an LLM judge reading the SKILL.md and its files — this work indicates that a determined attacker can pass that gate while shipping the same credential-stealer or exfiltration routine. And the population at risk is large and growing: agent skills execute with real privilege, are installed with little mandatory review, and public registries have expanded rapidly, so the number of skills a scanner would have to vet honestly is enormous. An evasion that works at over 90% is not a corner case; it is the expected outcome against an adaptive adversary.
This is a measurement-and-defence study rather than a report of a specific breach, and there is no CVE attached. But it is grounded in real malicious samples, not synthetic ones, which is what makes the evasion numbers hard to dismiss.
Defenses
The paper’s central recommendation is to stop trusting appearance and start observing behaviour.
Audit behaviour at runtime, not text at install time. The authors propose a behaviour-centric auditor (SkillDetonate) that executes a skill inside a sandbox and looks for malicious effects at the operating-system boundary — what files, processes, and network operations the skill actually touches — rather than judging how its source looks. Against the same corpus this approach detected 97% of attacks at a 2% false-positive rate, and sustained 87% detection on real-world malicious skills.
Track sensitive-data flows with taint analysis. Marker-based taint tracking follows sensitive data across the agent’s context, files, processes, and network calls, so an exfiltration attempt is caught by the flow it creates even when the code that performs it was hidden until execution.
Observe what execution materializes. Because self-extracting packing only reveals the payload at run time, a defender needs to capture the instructions that appear during execution — the paper calls this on-demand closure lift — rather than only the static bytes present at install.
Keep static scanning, but only as one layer. Static scanners still cheaply catch unsophisticated skills; the failure is relying on them alone. Pair them with sandboxed runtime detonation and least-privilege execution so that a skill which evades the reader still has to survive being watched while it runs.
Constrain privilege regardless of verdict. Run skills with the minimum file, shell, and network authority they need. Runtime auditing raises the odds of catching a malicious skill; least privilege limits the damage of one that is missed.
Status
| Aspect | Detail |
|---|---|
| Source | Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware (arXiv:2607.02357), submitted 2 July 2026 |
| Class | Supply-chain security of agent-skill marketplaces — scanner evasion and runtime detection |
| Evasion result | Self-extracting packing bypassed all 8 scanners tested at >90%; obfuscation >80% on most, up to 96% on a hybrid scanner (1,613 in-the-wild malicious skills) |
| Detection result | Behaviour-centric runtime auditing: 97% detection at 2% false positives; 87% on real-world malicious skills |
| Related work | Position-aware undetectable skill injection (arXiv:2606.07943) |
| Nature | Research finding — no CVE; adaptive-evasion study motivating a runtime defence |