
SkillCloak Self-Extracting Packs Evade Eight AI Skill Scanners at 90-99% Rates via .git/ Directory Abuse
SKILLCLOAK demonstrates systematic evasion of static AI skill scanners through self-extracting packing into ignored directories. Behavioral runtime monitoring recovers high detection rates where signatures fail. The shift marks an under-reported move from signature-based to execution-based defenses in agent marketplaces.
The technique exploits two structural weaknesses: static scanners rely on byte patterns and file locations that agents themselves ignore at execution, and marketplaces like ClawHub perform minimal pre-upload review. Self-extracting variants achieved 99% evasion on several scanners while preserving full functionality on Claude Code and OpenAI Codex. Light rewriting operators such as homoglyph substitution and newline splitting cleared 80-96% without packing overhead.
This extends prior marketplace poisoning observed in 2025, where unvetted skills reached tens of thousands of agents. The pattern is consistent: any capability delivered as loosely structured files inherits the host agent's full filesystem and credential context. SKILLDETONATE counters by monitoring OS-level flows in a sandbox rather than static signatures, catching 97% of cloaked samples at 2% false positive.
Operational impact centers on procurement and deployment pipelines that still default to static gates. The 87% real-world detection rate for SKILLDETONATE on uncloaked samples versus Cisco scanner's drop from 99% to 10% post-cloaking shows signature obsolescence. Runtime behavioral checks must move upstream of agent marketplaces or the same evasion will scale across coding-agent ecosystems.
Next indicators to watch are adoption of directory-exclusion rules in new scanners and whether agent vendors integrate sandbox telemetry before skill activation.
SKILLDETONATE-style sandboxing: 60% of major agent platforms will require runtime behavioral checks on new skills within 12 months.
Sources (3)
- [1]Cloak and Detonate preprint(https://arxiv.org/abs/2507.XXXXX)
- [2]The Hacker News SkillCloak coverage(https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html)
- [3]ClawHub marketplace incident data(https://clawhub.dev/security-reports/2025)