Security Gaps in Skill Detection
AI skill scanners used by ClawHub, Cisco, and Vercel’s skills.SH platform can be defeated using basic obfuscation methods, according to research from Trail of Bits. The findings reveal that attackers can upload and distribute malicious skills through public marketplaces without needing advanced exploitation techniques. These skills act as reusable components that execute code and influence AI model behavior, creating a supply chain risk in agent ecosystems.
Bypass Techniques Uncovered
Trail of Bits researchers demonstrated multiple evasion strategies across all three platforms. In one test against ClawHub, inserting over 100,000 newline characters pushed malicious code beyond the scanner’s inspection window, causing truncation in the analysis pipeline. This allowed harmful logic to pass undetected and confused integrated engines like VirusTotal’s Code Insight. Further testing against Cisco’s open source skill scanner and Vercel’s skills.SH showed similar weaknesses when malicious content was hidden in compiled Python bytecode or archive based files.
Impact and Scope
One demonstrated attack used a seemingly benign text formatting skill that included precompiled Python bytecode. While visible source code appeared harmless, the bytecode secretly extracted environment variables for data exfiltration. Scanners missed the payload because they focused on readable source files. Another technique used indirect execution paths where a skill instructed the AI agent to retrieve operational logic from a document containing a hidden script. Researchers also used prompt injection to manipulate LLM based scanners, disguising malicious configurations as legitimate enterprise setups.
Source: Cyber Security News
