Top 5 · 2026-07-09 · source-backed
Malicious agent skills now beat every scanner, and someone already shipped 300 of them
Story
Two research teams landed on the same conclusion from opposite ends this week, and the conclusion is ugly: the thing we're using to catch malicious agent skills doesn't work, and attackers already know it.
Start with the offense. Researchers at Hong Kong University of Science and Technology built SkillCloak, an obfuscation system that leaves a malicious SKILL.md's behavior completely intact while changing only how it looks to a scanner. Their packing trick evaded every tested detector more than 90% of the time. Against one hybrid tool that combines static rules with an LLM reviewer, the smartest thing on the market, it still got through 96% of the time. Read that again. The best static defense we have loses 24 out of 25 rounds against a payload that was deliberately dressed up.
Now the live-fire side. Unit 42 documented ClawHavoc, a supply-chain campaign that seeded more than 300 malicious skills onto a single agent-skill marketplace. The instruction files told the agent to fetch and run an infostealer. That stealer went after browser credentials, keychain passwords, SSH keys, and crypto wallets. This isn't a proof of concept in a lab. It's a shipped campaign on a real marketplace, and it's the npm-typosquatting playbook ported to agents almost move for move.
Put the two findings next to each other and the picture is complete. Attackers are shipping payloads at scale AND defeating the scanners meant to stop them, at the same time. The HKUST team's counter-defense, SkillDetonate, is the honest answer: stop reading the file, run it in a sandbox and watch what it does at the OS boundary. It caught 97% of injected payloads at roughly a 2% false-positive rate. That works because behavior is much harder to disguise than appearance. A stealer still has to touch the keychain eventually.
Here's what I'd actually do. Treat every skill install like an unreviewed npm package with post-install scripts enabled, because that's what it is. Pin skills by hash, not by name. If you run agents in production, runtime detonation in a throwaway sandbox is no longer a nice-to-have, it's the price of entry. Static scanning at the marketplace layer is theater now, and the people writing the payloads figured that out before we did. We solved this in package management with lockfiles, signatures, and provenance. The skills ecosystem has almost none of it yet.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source domain / Earlier coverage / Tension
36.7% of scanned MCP servers are exposed to SSRF, 42% leak credentials
Both cover LLM, Their, Treat, Unit; reported by the same outlet (unit42.paloaltonetworks.com); earlier LLM coverage from 2026-07-07.
Shared entities / Shared topic / Earlier coverage
ClawHavoc Poisons ClawHub with 1,184 Malicious Skills: SKILL.md Poisoning Delivers macOS Stealer to 300,000+ Users
Both cover ClawHavoc, SKILL, SSH; overlapping topics (agent, maliciou, skill); earlier ClawHavoc coverage from 2026-03-16.
Shared entities / Shared topic / Earlier coverage / Tension
10 actionable skills from today's findings:
Both cover LLM, Skill; overlapping topics (agent, skill); earlier LLM coverage from 2026-03-22.
Shared entity: Attackers / Shared topic / Tension / Downstream implication
Attackers are hijacking MCP tools mid-conversation, after the handshake.
Both cover Attackers; overlapping topics (against, agent, already, attacker); pushes against this story (against).
Shared entities / Shared topic / Earlier coverage
Sysdig documented the first confirmed autonomous LLM-agent cyberattack. Postgres exfiltrated in under two minutes.
Both cover LLM, SSH; overlapping topics (against, agent, attacker); earlier LLM coverage from 2026-06-02.
Shared entity: ClawHavoc / Shared topic / Earlier coverage / Tension
A fake agent skill reached ~26,000 agents and every scanner said it was safe
Both cover ClawHavoc; overlapping topics (agent, maliciou, scanner, skill); earlier ClawHavoc coverage from 2026-06-28.
Shared entity: Treat / Same source domain / Shared topic / Earlier coverage / Tension
Every published prompt-injection defense gets bypassed above 90% under adaptive attack.
Both cover Treat; reported by the same outlet (helpnetsecurity.com); overlapping topics (against, attacker).
Shared entity: Unit / Same source domain / Shared topic / Earlier coverage / Tension
Unit 42: First In-the-Wild Indirect Prompt Injection Against Deployed Agents.
Both cover Unit; reported by the same outlet (unit42.paloaltonetworks.com); overlapping topics (against, agent).
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — July 9, 2026
- AI generated
- no
- Story unit
- 2026-07-09-malicious-agent-skills-now-beat-every-scanner-and-someone-already-shipped-300-of-them
- Labels
- source-backed, canonical briefing excerpt