The sorry state of skill distribution
Security researchers successfully bypassed multiple AI agent skill scanners, including ClawHub, Cisco's skill-scanner, and skills.sh integrations, using techniques like file truncation, embedded payloads, Python bytecode poisoning, and prompt injection. The findings highlight that automated scanning of AI agent skills is fundamentally flawed due to the complex mix of natural language, code, and limited scanner context windows, necessitating a shift towards curated, trusted skill repositories.
Authors:
- filenamesync1.shMalicious shell script payload embedded within a .docx (ZIP) file to bypass pattern-matching scanners.
- filenameutils.cpython-312.pycPoisoned Python bytecode file used to execute malicious code while the source utils.py remains benign, bypassing static scanners.
- urlhxxps://npm[.]internal-artifacts[.]corp[.]devAttacker-controlled npm registry URL used in a prompt injection PoC to hijack package resolution.
Detection / HunterGoogle
What Happened
Security researchers found that tools designed to scan AI agent 'skills' (add-ons that give AI agents new abilities) for malicious behavior do not work effectively. They were able to easily bypass scanners from major platforms by hiding malicious code inside seemingly harmless files, using hidden Python code, or simply tricking the AI scanner with clever wording. This matters because malicious skills can steal sensitive information or take over systems if installed by an unsuspecting user. Organizations should avoid downloading AI skills from public, unverified marketplaces and instead use strictly controlled, internal collections of approved skills.
Key Takeaways
- Public AI agent skill marketplaces are vulnerable to malicious skills that easily bypass current automated security scanners.
- Attackers can evade detection using simple techniques like file truncation (prepending newlines) or embedding malicious scripts inside benign-looking document archives.
- Python bytecode (.pyc) poisoning effectively bypasses scanners that only analyze source code or ignore binary files.
- Prompt injection can trick LLM-based scanners into approving malicious configurations, such as routing package managers to attacker-controlled registries.
- Organizations should avoid public skill marketplaces for sensitive agents and rely on curated, internally managed skill repositories.
Affected Systems
- AI Agent platforms (e.g., OpenClaw, claude.ai, Codex)
- Public skill marketplaces (e.g., skills.sh, ClawHub)
- Cisco skill-scanner
Attack Chain
The attack begins when a user installs a malicious skill from a public marketplace. The skill evades automated scanners using techniques such as prepending massive amounts of newlines to truncate analysis, embedding malicious scripts (sync1.sh) inside benign-looking document archives (.docx), or poisoning Python bytecode (.pyc) while leaving the source code clean. In other cases, the skill uses prompt injection within its SKILL.md file to socially engineer the LLM-based scanner into accepting malicious configurations, such as routing package manager traffic to an attacker-controlled registry. Once executed by the AI agent, the skill can exfiltrate environment variables or execute arbitrary code within the agent's environment.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but rather highlights structural flaws and bypass techniques against existing AI skill scanners.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the post-exploitation behavior of malicious skills, such as unexpected child processes spawned by the AI agent or unauthorized network connections, but may lack visibility into the skill installation phase itself. Network Visibility: Medium — Network monitoring can catch connections to unexpected external domains (like a malicious npm registry) or data exfiltration attempts, provided SSL inspection is in place. Detection Difficulty: Hard — Malicious skills blend natural language with code, and techniques like prompt injection or bytecode poisoning are designed to look benign to both automated scanners and human reviewers.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- Network Connection Logs
- File Creation Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for AI agent processes (e.g., Claude, OpenClaw harnesses) spawning unexpected shell interpreters (bash, sh) or executing scripts from unusual directories. | Process Creation Logs | Execution | Medium |
| Evaluate whether package managers (npm, yarn) are making network connections to unregistered or newly observed internal/external domains, which may indicate a hijacked registry configuration. | Network Connection Logs | Command and Control | Low |
| If you have visibility into file creation, look for the dropping of compiled Python bytecode (.pyc) files without corresponding source file modifications in agent skill directories. | File Creation Logs | Defense Evasion | Low |
Control Gaps
- Automated AI skill scanners (LLM-based and static)
- Public skill marketplace vetting processes
Key Behavioral Indicators
- AI agent processes spawning shell scripts
- Mismatched .py and .pyc file timestamps or contents in skill directories
- Unexpected LD_PRELOAD usage by agent helper scripts
False Positive Assessment
- Medium. Legitimate AI skills often require complex workarounds (like LD_PRELOAD for socket handling in sandboxes) that mimic malicious behavior, leading to potential false positives when hunting for anomalous agent activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider restricting or blocking the installation of AI agent skills from public, uncurated marketplaces (e.g., skills.sh, ClawHub).
- Evaluate whether currently deployed AI skills can be audited for hidden binaries, poisoned bytecode, or unexpected configuration changes.
Infrastructure Hardening
- Consider establishing an internal, curated registry of approved AI skills that have undergone manual security review.
- If applicable, enforce strict network egress policies for AI agent sandboxes to prevent data exfiltration or connections to unauthorized package registries.
- Evaluate whether your environment can enforce strict file type allowlists for AI skills, explicitly blocking compiled binaries or archives if not strictly necessary.
User Protection
- Consider implementing endpoint controls that monitor AI agent processes for anomalous child process creation or file system modifications.
Security Awareness
- Consider training developers and AI users on the risks of supply chain attacks via AI agent skills and prompt injection.
- Evaluate whether to include AI skill vetting procedures in your secure software development lifecycle (SDLC) training.
MITRE ATT&CK Mapping
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1027.009 - Obfuscated Files or Information: Embedded Payloads
- T1059.006 - Command and Scripting Interpreter: Python
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1552.001 - Credentials from Password Stores: Credentials In Files
- T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking
