The findings point to a widening supply-chain problem around “skills”, the modular instruction-and-file packages that allow AI agents to perform tasks such as editing documents, running scripts, managing workflows or connecting with external services. Unlike conventional software packages, these skills may combine code, natural-language instructions, metadata and bundled files, giving attackers more ways to hide harmful behaviour from automated checks.
The tests targeted ClawHub’s malicious-skill detector, Cisco’s open-source agent skill scanner and scanners integrated into skills. sh, a Vercel-backed registry-style platform. The bypasses did not require advanced exploitation. Several malicious samples were reportedly built within less than an hour using standard evasion techniques, with a fourth taking longer because of trial-and-error around prompt-injection wording.
ClawHub, developed for the OpenClaw ecosystem, has positioned itself as a public registry for text-based agent skills and related plugins. Its model allows users to publish, browse, version and install skills, including SKILL. md files and supporting material. That openness has helped expand access to reusable AI-agent functions, but it has also created a target for malicious actors seeking to reach developers and organisations through trusted-looking packages.
One ClawHub bypass relied on an unusually simple method: placing a large number of blank lines between harmless introductory content and malicious code. The effect was to push the harmful material beyond what the scanner inspected or interpreted properly. The test exposed a weakness familiar in automated security systems: if review pipelines truncate input or rely on limited context windows, attackers can place damaging content outside the inspected region while still keeping it inside the package delivered to users.
The ClawHub checks included a VirusTotal-linked process and a custom guard-model scanner. While the platform restricts certain file types and does not allow arbitrary binaries or archives in distributed skills, the experiment showed that packaging rules alone cannot prevent abuse when natural-language instructions and code-like content remain available attack surfaces.
Cisco’s skill scanner and the scanners used through skills. sh faced a different challenge because they operate on broader repository-style uploads. That opens the door to hidden or opaque material in file trees, compiled artefacts, document containers and assets that scanners may not fully examine. One proof-of-concept skill used a document file to carry hidden instructions and payload material. Another used Python bytecode poisoning, where the visible source code appeared harmless while the compiled file contained behaviour capable of harvesting environment variables.
The weakness is significant because environment variables often hold tokens, credentials and configuration secrets used by development systems. If an AI agent installs and runs a skill containing such hidden behaviour, attackers may gain access to sensitive systems without the user realising that the compromise began through an apparently useful agent extension.
Cisco’s scanner combines language-model analysis with pattern matching and static analysis. That layered design is stronger than a single keyword filter, but the tests showed gaps in file coverage, language support and the handling of content that is referenced indirectly or stored in formats the scanner treats as opaque. Improvements have been proposed, including stricter format validation and broader support for JavaScript and TypeScript scanning, but prompt-injection attacks remain harder to eliminate because they exploit meaning and context rather than only code signatures.
The skills. sh ecosystem has relied on integrations with external scanning providers including Gen, Socket and Snyk. Such tools are valuable for identifying known malicious patterns and risky dependencies, but the bypasses underline that agent skills sit between software security and AI safety. A package can be dangerous because of what it tells an agent to do, not only because it contains a suspicious executable.
Academic work on agent-skill security has reached a similar conclusion. Large-scale studies of ClawHub-style registries have found high disagreement between scanner families, with some tools flagging semantic agentic risk while others detect conventional malware traces. That split suggests that a single pass-fail scanner is unlikely to provide enough assurance for organisations using AI agents in software engineering, finance, legal, healthcare or internal operations.
The operational risk is amplified by how easily agent marketplaces can mimic the dynamics of package-manager ecosystems. Developers may install skills because they appear popular, well documented or functionally useful. Attackers can exploit that trust with typosquatting, benign-looking descriptions, bundled helper scripts and prompt instructions that only become harmful when executed by an agent with access to files, credentials or network services.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
