Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Critical ModSecurity Flaws Let Attackers Bypass Firewall Rules
July 6, 2026
Moody Bible Institute Data Breach Exposes 2.3 Million Users’ Personal Data
July 6, 2026
Home/Threats/Agent Skill Malware Targets AI Models Claude and OpenAI Codex
Threats

Agent Skill Malware Targets AI Models Claude and OpenAI Codex

Key Takeaways A novel malware variant, dubbed “Agent Skill Malware,” is actively bypassing security measures designed to protect AI coding assistants like Claude Code and OpenAI Codex....

Emy Elsamnoudy
Emy Elsamnoudy
July 6, 2026 5 Min Read
4 0

Key Takeaways

  • A novel malware variant, dubbed “Agent Skill Malware,” is actively bypassing security measures designed to protect AI coding assistants like Claude Code and OpenAI Codex.
  • The threat leverages “agent skills,” which are essentially plugins, to execute malicious code with the same privileges as the AI agent, enabling data theft.
  • Researchers developed techniques, Structural Obfuscation and Self-Extracting Skill Packing, that allowed malware to evade detection by eight widely used scanners in over 90% of cases.
  • The “ClawHavoc” campaign serves as a real-world example, having deployed hundreds of poisoned skills to steal credentials and cryptocurrency wallet data.
  • Defenders are advised to adopt behavior-based monitoring, sandboxing, and strict privilege limitations for AI agents and their loaded skills.

Agent Skill Malware Evades AI Coding Assistant Defenses

A sophisticated new strain of malicious software is circumventing the established security protocols intended to safeguard prominent artificial intelligence coding assistants. This malware, termed “Agent Skill Malware,” is specifically designed to exploit “agent skills,” which are modular add-on packages utilized by platforms such as Claude Code and OpenAI Codex.

Table Of Content

  • Key Takeaways
  • Agent Skill Malware Evades AI Coding Assistant Defenses
  • Evasion Techniques and Alarming Efficacy
  • The Real-World Threat: ClawHavoc Campaign
  • What You Should Do

Cybersecurity researchers have identified that malware embedded within these agent skills can be cleverly restructured. This allows the malicious payloads to bypass automated security scanners while retaining their full operational capabilities. Agent skills function akin to plugins, empowering AI coding agents with new functionalities on demand. These typically comprise a directory containing natural language instructions, executable scripts, and supplementary files.

The ease of creating and distributing these packages has led to their rapid proliferation. A single marketplace, for instance, reported hosting over 40,000 skills within months of the format’s introduction in late 2025. This rapid expansion has unfortunately created a significant attack surface. An agent skill operates with the same access privileges as the AI agent that loads it, granting it potential access to a developer’s local files, stored credentials, and linked accounts.

Threat actors have already capitalized on this vulnerability. Malicious skills, masquerading as helpful utilities, have been deployed to exfiltrate browser credentials, SSH keys, and even sensitive cryptocurrency wallet data.

Evasion Techniques and Alarming Efficacy

Researchers from Arxiv said in a report that they meticulously documented their direct assessment of this threat. They engineered a tool named SkillCloak to determine the effectiveness of existing skill scanners against expertly concealed malware. The findings were stark: across eight commonly deployed scanners and a dataset of over 1,600 authentic malicious skills acquired from active campaigns, the camouflaged versions evaded detection almost universally.

Crucially, the research team confirmed that the obfuscation process did not impair the malware’s functionality. When the disguised skills were executed by actual coding agents, the malicious code performed precisely as intended, indicating that attackers incur no operational penalty by cloaking their payloads.

The evasion strategy primarily employs two distinct methods. The first, termed Structural Obfuscation, involves transforming identifiable indicators of compromise—such as suspicious commands, web addresses, or references to passwords—into syntactically equivalent forms that appear innocuous to a scanner but remain functional to a computer.

The second, and demonstrably more potent, technique is called Self-Extracting Skill Packing. Rather than merely disguising the malicious code, this approach conceals it in locations typically overlooked by scanners, such as ignored directories or scrambled data blocks. The malicious payload is only reconstructed and executed once the AI agent initiates the skill.

Because the scanner never encounters the true payload during its static analysis, it possesses minimal information to flag. Testing revealed that this packing technique defeated every examined scanner more than 90% of the time. Structural Obfuscation alone still managed to fool most tools over 80% of the time. This disparity highlights a fundamental flaw: current scanners predominantly assess a skill based on its static appearance rather than its dynamic behavior upon execution.

The Real-World Threat: ClawHavoc Campaign

This is not merely a theoretical concern. A documented campaign, known as ClawHavoc, successfully infiltrated a public marketplace with hundreds of malicious skills. Some reports indicate over 300 poisoned packages, with other analyses suggesting an even higher count within the same ecosystem. Victims who unknowingly installed these compromised skills unwittingly executed an information stealer, which silently pilfered saved login credentials, keychain passwords, and cryptocurrency wallet files.

Security experts analyzing similar incidents consistently offer the same advice: never permit an AI agent to automatically execute setup procedures from a skill without prior manual review. Furthermore, unfamiliar skills should be treated with the same caution as any unknown executable downloaded from the internet.

To address the deficiencies of conventional scanners, the researchers behind this study also developed a tool called SkillDetonate. Instead of relying on a skill’s static appearance, SkillDetonate executes the skill within a sandboxed environment, actively monitoring its behavior. This includes tracking file access, network communications, and data movement in real time. During testing, this behavior-based methodology successfully identified the vast majority of malicious skills, including those expertly disguised versions that had eluded all static scanners.

The overarching implication for users of AI coding tools is straightforward. While reviewing a skill’s code prior to installation remains important, it is no longer sufficient. Adopting practices such as running unfamiliar skills in isolated environments, diligently monitoring for unusual network activity, and imposing strict limitations on the folders and credentials an AI agent can access are now critical habits, rather than optional precautions.

What You Should Do

  • Implement Behavior-Based Monitoring: Utilize tools like SkillDetonate or similar sandboxing solutions that analyze the runtime behavior of agent skills rather than relying solely on static code analysis.
  • Exercise Extreme Caution with New Skills: Treat all unfamiliar agent skills with suspicion. Do not allow AI agents to auto-run setup steps without a thorough manual review of the skill’s underlying code and permissions.
  • Isolate AI Agent Environments: Run AI coding assistants and their loaded skills within isolated, sandboxed environments to contain potential malicious activity and prevent lateral movement.
  • Limit Agent Privileges: Configure AI agents with the principle of least privilege. Restrict their access to only the necessary files, folders, and network resources required for their intended function. Avoid granting blanket access to sensitive data or system credentials.
  • Monitor Network Activity: Implement network monitoring to detect unusual outbound connections or data exfiltration attempts originating from your AI coding assistant’s environment.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers

Next Post

Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Gaslight macOS Malware Evades AI Security Analysis With Prompt Injection
July 6, 2026
Agent Skill Malware Targets AI Models Claude and OpenAI Codex
July 6, 2026
TrojPix Attack Remotely Exfiltrates Data From Air-Gapped Computers
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us