system: OPERATIONAL
← back to all hacks
SUPPLY CHAIN MEDIUM NEW

Skill scanners bypassed: why static checks miss malicious skills

Trail of Bits slipped four malicious skills past ClawHub, Cisco's scanner, and skills.sh in under an hour each. The lesson: a static scanner can't be the trust boundary for agent skills.

2026-07-16 // 6 min affects: agent-skills, claude-code, openclaw, codex, gemini-cli

What is this?

On June 3, 2026, Trail of Bits researchers Samuel Judson and Tjaden Hess published a study showing they bypassed every major skill scanner they tested: OpenClaw’s ClawHub detector (backed by VirusTotal and a GPT-5.5 guard model), Cisco’s open-source skill-scanner, and all three scanners wired into Vercel’s skills.sh (Gen, Socket, and Snyk).

An agent skill is a packaged bundle of natural-language instructions (a SKILL.md prompt) plus code and assets that agents such as Claude Code, Codex, and OpenClaw load to extend their behavior. As public marketplaces filled with credential-stealing and agent-hijacking skills, a new product category appeared to vet a skill before install. The finding is blunt: the scanners don’t work. Three of the four malicious proof-of-concept skills took under an hour to build, and all are public in trailofbits/overtly-malicious-skills.

How it works

The research documents four structural bypasses, each exploiting a different blind spot rather than any single product bug.

Truncation by padding. Prepending roughly 100,000 newlines between harmless boilerplate and the malicious content pushed the payload past the point where ClawHub’s guard model truncated its input. The file scanned “clean” because the scanner never read the dangerous part; VirusTotal’s model was similarly confused, and in the web UI the extra scroll is easy to miss.

Packaging indirection. A SKILL.md instructs the agent to extract its “real” instructions from a bundled .docx — which is just a ZIP of XML carrying a hidden script. Pattern-matchers see a formatting helper, not the payload riding along in the archive.

Source/artifact mismatch. A benign Python source file ships next to a precompiled .pyc whose bytecode contains extra behavior — reading environment variables for later exfiltration. Scanners that read only source, or treat binaries as opaque, never see it. This is the classic xz-utils pattern: the shipped artifact differs from the reviewed source.

Prompt-injection misdirection. A skill that reconfigures npm and yarn to an attacker-controlled registry, dressed up in the language of a “corporate mirror” behind a VPN and an “AppSec-audited allowlist,” convinced the LLM analyzers the change was routine. With Claude Sonnet 4.6, Cisco’s tool flagged the alternate registry only as LOW and still declared the skill safe.

The unifying weakness is that a static scanner is a fixed target: the attacker moves second, tweaking an attack in a tight loop until something passes. Trail of Bits underline the mirror-image problem with an honest example — Anthropic’s official Office skills legitimately use LD_PRELOAD to patch a compiled shim around a sandbox socket block, behavior indistinguishable, to a scanner, from an attack.

Why it matters

Skills are a new supply-chain dependency sitting beside package managers, but with a broader attack surface: they mix code, binaries, assets, and natural-language instructions that can execute or exfiltrate. A single one-click install from a public marketplace can hand both the agent and its host to an attacker. Because inference is expensive, scanners lean on weaker models and truncated context — exactly the seams these bypasses exploit. And because an instruction can be benign in one environment and malicious in another, no static verdict can be sound. A green checkmark manufactures false confidence that is arguably worse than no check at all.

Defenses

Don’t outsource trust to a scanner. Treat public skill repositories as untrusted code, especially for agents operating in sensitive contexts. A “passed” scan is not an assurance of safety.

Curate and pin. Prefer vetted, curated collections (for example anthropics/skills or trailofbits/skills-curated), pin to specific commits, and control who can introduce or update a skill — the same discipline you apply to any dependency.

Constrain the package format. Disallow un-scannable artifacts: no binaries, no precompiled bytecode, an explicit file-type allowlist, and validation against the skill specification. Trail of Bits’ PR to Cisco’s scanner adds a strict format-validation mode that rejects exactly the bytecode vector above.

Enforce at runtime, not just at intake. Static analysis can’t see behavior. Pair it with least privilege, network egress control, and sandboxing so that a malicious skill’s blast radius stays small even when it slips through.

Keep the surface small and human-reviewed. Fewer skills, from known sources, reviewed by people rather than by a scanner verdict, is the durable model until the ecosystem matures.

Status

ItemDetail
Scanners bypassedClawHub (OpenClaw + VirusTotal), Cisco skill-scanner, skills.sh (Gen, Socket, Snyk)
TechniquesNewline-padding truncation, .docx indirection, .pyc bytecode mismatch, prompt-injection misdirection
Effort3 of 4 skills built in under an hour
DisclosureTrail of Bits (S. Judson, T. Hess), June 3, 2026
HardeningToB PR #25 adds strict format validation to Cisco’s scanner
CVENone — structural design finding

Sources