← The Wire

Top 5 · 2026-07-09 · source-backed

Malicious agent skills now beat every scanner, and someone already shipped 300 of them

Confidence
source-backed
Sources
2
Redaction
redacted

Story

Two research teams landed on the same conclusion from opposite ends this week, and the conclusion is ugly: the thing we're using to catch malicious agent skills doesn't work, and attackers already know it.

Start with the offense. Researchers at Hong Kong University of Science and Technology built SkillCloak, an obfuscation system that leaves a malicious SKILL.md's behavior completely intact while changing only how it looks to a scanner. Their packing trick evaded every tested detector more than 90% of the time. Against one hybrid tool that combines static rules with an LLM reviewer, the smartest thing on the market, it still got through 96% of the time. Read that again. The best static defense we have loses 24 out of 25 rounds against a payload that was deliberately dressed up.

Now the live-fire side. Unit 42 documented ClawHavoc, a supply-chain campaign that seeded more than 300 malicious skills onto a single agent-skill marketplace. The instruction files told the agent to fetch and run an infostealer. That stealer went after browser credentials, keychain passwords, SSH keys, and crypto wallets. This isn't a proof of concept in a lab. It's a shipped campaign on a real marketplace, and it's the npm-typosquatting playbook ported to agents almost move for move.

Put the two findings next to each other and the picture is complete. Attackers are shipping payloads at scale AND defeating the scanners meant to stop them, at the same time. The HKUST team's counter-defense, SkillDetonate, is the honest answer: stop reading the file, run it in a sandbox and watch what it does at the OS boundary. It caught 97% of injected payloads at roughly a 2% false-positive rate. That works because behavior is much harder to disguise than appearance. A stealer still has to touch the keychain eventually.

Here's what I'd actually do. Treat every skill install like an unreviewed npm package with post-install scripts enabled, because that's what it is. Pin skills by hash, not by name. If you run agents in production, runtime detonation in a throwaway sandbox is no longer a nice-to-have, it's the price of entry. Static scanning at the marketplace layer is theater now, and the people writing the payloads figured that out before we did. We solved this in package management with lockfiles, signatures, and provenance. The skills ecosystem has almost none of it yet.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Same source domain / Earlier coverage / Tension

    36.7% of scanned MCP servers are exposed to SSRF, 42% leak credentials

    Both cover LLM, Their, Treat, Unit; reported by the same outlet (unit42.paloaltonetworks.com); earlier LLM coverage from 2026-07-07.

  2. Shared entities / Shared topic / Earlier coverage

    ClawHavoc Poisons ClawHub with 1,184 Malicious Skills: SKILL.md Poisoning Delivers macOS Stealer to 300,000+ Users

    Both cover ClawHavoc, SKILL, SSH; overlapping topics (agent, maliciou, skill); earlier ClawHavoc coverage from 2026-03-16.

  3. Shared entities / Shared topic / Earlier coverage / Tension

    10 actionable skills from today's findings:

    Both cover LLM, Skill; overlapping topics (agent, skill); earlier LLM coverage from 2026-03-22.

  4. Shared entity: Attackers / Shared topic / Tension / Downstream implication

    Attackers are hijacking MCP tools mid-conversation, after the handshake.

    Both cover Attackers; overlapping topics (against, agent, already, attacker); pushes against this story (against).

  5. Shared entities / Shared topic / Earlier coverage

    Sysdig documented the first confirmed autonomous LLM-agent cyberattack. Postgres exfiltrated in under two minutes.

    Both cover LLM, SSH; overlapping topics (against, agent, attacker); earlier LLM coverage from 2026-06-02.

  6. Shared entity: ClawHavoc / Shared topic / Earlier coverage / Tension

    A fake agent skill reached ~26,000 agents and every scanner said it was safe

    Both cover ClawHavoc; overlapping topics (agent, maliciou, scanner, skill); earlier ClawHavoc coverage from 2026-06-28.

  7. Shared entity: Treat / Same source domain / Shared topic / Earlier coverage / Tension

    Every published prompt-injection defense gets bypassed above 90% under adaptive attack.

    Both cover Treat; reported by the same outlet (helpnetsecurity.com); overlapping topics (against, attacker).

  8. Shared entity: Unit / Same source domain / Shared topic / Earlier coverage / Tension

    Unit 42: First In-the-Wild Indirect Prompt Injection Against Deployed Agents.

    Both cover Unit; reported by the same outlet (unit42.paloaltonetworks.com); overlapping topics (against, agent).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-07-09-malicious-agent-skills-now-beat-every-scanner-and-someone-already-shipped-300-of-them
Labels
source-backed, canonical briefing excerpt