New AI Agent Threat Evades Detection, Enables Credential Theft and Backdoors
A recent research paper highlights a growing cybersecurity risk in AI coding environments: malicious agent "skills" that can steal credentials, exfiltrate source code, and install backdoors all while bypassing most existing detection systems.
The study reveals that static scanners, which analyze code without executing it, are particularly vulnerable to evasion techniques. In contrast, runtime behavior auditing proves far more effective in identifying threats. The core danger lies in the structure of agent skills bundles of instructions, scripts, and resources that execute with broad privileges, often appearing benign at installation but activating malicious behavior during runtime.
To demonstrate the threat, researchers developed SKILLCLOAK, an evasion framework that obfuscates malicious payloads by rewriting suspicious elements (tokens, commands, URLs) and using self-extracting packing to conceal the true intent until execution. Testing on 1,613 real-world malicious skills showed that SKILLCLOAK evaded over 90% of surveyed scanners in some cases, without compromising the malware’s functionality. Cloaked skills operated successfully in production agents like Claude Code and Codex, maintaining normal task performance.
In response, the paper introduces SKILLDETONATE, a runtime auditor that monitors security-relevant actions such as file access, data flows, and network activity within a sandbox. On the SkillJect benchmark, it detected 96.7% of attacks with a 2% false-positive rate, remaining effective against obfuscated and packed variants.
The practical risk is a supply-chain compromise in AI coding environments. Malicious skills can extract secrets from local files, transmit them to external endpoints, or deploy persistence mechanisms on developer machines. This creates a new attack surface, particularly where third-party skills are imported with minimal review.
The paper underscores that install-time trust checks are insufficient defenders must analyze what skills do during execution, not just how they appear on disk. The findings align with prior research on malicious agent skills, indirect prompt injection, and malware evasion, suggesting this is part of a rapidly evolving attack class in AI ecosystems.
Source: https://gbhackers.com/malicious-agent-skills/
Claude Code TPRM report: https://www.rankiteo.com/company/anthropicresearch
"id": "ant1783326357",
"linkid": "anthropicresearch",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology, Software Development',
'name': 'AI coding environments (e.g., Claude Code, '
'Codex)',
'type': 'AI Development Platforms'}],
'attack_vector': 'Malicious AI Agent Skills',
'data_breach': {'data_exfiltration': 'Yes (transmitted to external endpoints)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Source code',
'Secrets']},
'description': 'A recent research paper highlights a growing cybersecurity '
"risk in AI coding environments: malicious agent 'skills' that "
'can steal credentials, exfiltrate source code, and install '
'backdoors all while bypassing most existing detection '
'systems. The study reveals that static scanners are '
'vulnerable to evasion techniques, while runtime behavior '
'auditing is more effective. Researchers developed SKILLCLOAK, '
'an evasion framework that obfuscates malicious payloads, '
'evading over 90% of surveyed scanners. The threat enables '
'supply-chain compromise in AI coding environments, extracting '
'secrets, transmitting data, or deploying persistence '
'mechanisms.',
'impact': {'data_compromised': 'Credentials, source code, secrets',
'identity_theft_risk': 'High (credential theft)',
'operational_impact': 'Potential backdoors and persistence '
'mechanisms on developer machines',
'systems_affected': 'AI coding environments (e.g., Claude Code, '
'Codex)'},
'initial_access_broker': {'backdoors_established': 'Yes (persistence '
'mechanisms)',
'entry_point': 'Malicious AI agent skills',
'high_value_targets': 'Developer machines, AI '
'coding environments'},
'lessons_learned': 'Install-time trust checks are insufficient; defenders '
'must analyze runtime behavior of AI agent skills. Static '
'scanners are vulnerable to evasion techniques, while '
'runtime auditing is more effective.',
'post_incident_analysis': {'corrective_actions': 'Adopt runtime behavior '
'auditing (e.g., '
'SKILLDETONATE) to monitor '
'security-relevant actions '
'in AI environments.',
'root_causes': "Static scanners' inability to "
'detect runtime malicious behavior '
'in AI agent skills. Obfuscation '
'techniques (e.g., SKILLCLOAK) '
'evading detection.'},
'recommendations': 'Implement runtime behavior auditing (e.g., SKILLDETONATE) '
'to monitor security-relevant actions in AI coding '
'environments. Enhance scrutiny of third-party skills to '
'prevent supply-chain compromise.',
'references': [{'source': 'Research Paper'}],
'response': {'enhanced_monitoring': 'Runtime auditing of security-relevant '
'actions (file access, data flows, '
'network activity)',
'remediation_measures': 'Runtime behavior auditing (e.g., '
'SKILLDETONATE)'},
'title': 'New AI Agent Threat Evades Detection, Enables Credential Theft and '
'Backdoors',
'type': 'Supply-Chain Compromise',
'vulnerability_exploited': "Static code scanners' inability to detect runtime "
'malicious behavior'}