Back to Intelligence

Defending Against SkillCloak: AI Agent Skill Evasion and Runtime Detection

SA
Security Arsenal Team
July 7, 2026
7 min read

Introduction

As we navigate the deepening integration of Generative AI into development workflows in 2026, a new attack surface has emerged: the "skills" or plugins that empower AI coding agents. A recent study from researchers at the Hong Kong University of Science and Technology (HKUST) has unveiled a concerning reality: the static scanners currently employed to vet these add-ons are dangerously fragile.

The research introduces SkillCloak, a technique that allows malicious AI agent skills to bypass static analysis through self-extracting packing. In their tests, this method successfully evaded every scanner tested more than 90% of the time. For security teams, this represents a critical blind spot. If your organization allows the use of autonomous coding agents or third-party AI skills, you are currently at risk of ingesting obfuscated malware that traditional signature-based defenses will miss. This post breaks down the SkillCloak technique and provides the detection logic and runtime strategies you need to defend your environment.

Technical Analysis

The Threat Mechanism

SkillCloak operates on the principle of obfuscation via self-extracting archives. Unlike standard malicious code that might be detected by string matching or static code analysis within a skill file, SkillCloak wraps the malicious payload inside a packed executable or a compressed archive layer.

  • Attack Vector: A malicious actor submits a "skill" (e.g., a Python package, a JSON configuration, or a script) to a repository or marketplace compatible with popular AI coding agents.
  • Evasion Technique: The skill contains a stub or loader that appears benign to static scanners. However, upon execution by the AI agent, the stub triggers a self-extraction process, decompressing and executing the malicious payload in memory or on disk.
  • Defensive Gap: Static scanners analyze the file at rest. They see the unpacker or the compressed data, not the malicious code, resulting in a clean bill of health for a threat that activates only at runtime.

Affected Platforms

While the research specifically highlights the failure of scanners designed for AI skills, the impact is broader. Any environment utilizing:

  • AI Coding Agents: Tools like Cursor, Windsurf, or custom enterprise agents that ingest unverified "skills" to automate coding tasks.
  • Extension Ecosystems: Platforms that rely heavily on static analysis for plugin vetting.

Exploitation Status

The HKUST team demonstrated that this is not merely theoretical. Their "strongest trick" achieved a >90% evasion rate against all tested scanners. Furthermore, the researchers proved that by switching to runtime analysis, detection rates significantly improved, confirming that the threat is active and relies on the lack of behavioral monitoring in current supply chain security controls.

Detection & Response

Because SkillCloak evades static analysis, we must shift our focus to runtime behavioral detection. We cannot trust the file scan result at rest. Instead, we must monitor the AI agent processes for suspicious child activity, specifically the unpacking of archives or the execution of self-extracting binaries.

SIGMA Rules

The following rules target the behavior of an AI agent spawning an unpacking process (e.g., 7z, tar, gzip) or a self-extracting executable, which is highly unusual for a coding agent plugin.

YAML
---
title: AI Agent Spawning Archive Unpacking Tool
id: 8d4c2e1a-1f3b-4509-a23d-9f1c5e6a7b8d
status: experimental
description: Detects AI coding agents spawning child processes associated with archive unpacking, a potential indicator of SkillCloak or similar packing evasion techniques.
references:
 - https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.defense_evasion
 - attack.t1027
logsource:
 category: process_creation
 product: windows
detection:
 selection_ai:
   ParentImage|endswith:
     - '\cursor.exe'
     - '\windsurf.exe'
     - '\Code.exe'
     - '\python.exe' # Generic if python hosts the agent
 selection_unpack:
   Image|endswith:
     - '\7z.exe'
     - '\tar.exe'
     - '\gzip.exe'
     - '\winrar.exe'
     - '\expand.exe'
   OR CommandLine|contains:
     - '-x'
     - '-e'
     - 'extract'
 condition: all of selection_*
falsepositives:
 - Legitimate zipping of project artifacts by an agent
level: high
---
title: Suspicious Self-Extracting Execution by AI Agent
id: 3b5f8c9d-2e4a-4d8f-9a1b-7c6e5d4a3b2c
status: experimental
description: Detects AI agents executing binaries with high entropy or self-extracting characteristics, indicative of SkillCloak payload execution.
references:
 - https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
author: Security Arsenal
date: 2026/07/15
tags:
 - attack.execution
 - attack.t1204
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith:
     - '\cursor.exe'
     - '\windsurf.exe'
     - '\aider.exe'
   Image|contains:
     - 'tmp'
     - 'temp'
     - 'AppData\Local\Temp'
   CommandLine|contains:
     - '-o'
     - '-sfx'
     - 'silent'
 condition: selection
falsepositives:
 - Rare, usually only legitimate installers
level: critical

KQL (Microsoft Sentinel / Defender)

This hunt query looks for process creation events where a known AI agent parent process spawns a child process that is a common unpacking tool or a script interpreter in a temporary directory.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
// Identify common AI Agent parent processes
| where ParentProcessName in~ ("cursor.exe", "windsurf.exe", "Code.exe", "aider.exe", "cline.exe")
// Identify child processes used for unpacking or suspicious execution
| where ProcessCommandLine contains_any ("-x", "-e", "extract", "unzip", "tar", "7z") 
   or (FolderPath contains @"\Temp\" and ProcessVersionInfoOriginalFileName in~ ("python.exe", "cmd.exe", "powershell.exe"))
| project Timestamp, DeviceName, AccountName, ParentProcessName, ProcessName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for process chains where an AI agent parent spawns a child process associated with archiving or self-extraction.

VQL — Velociraptor
-- Hunt for AI agents spawning unpacking processes
SELECT Parent.Pid as ParentPid, Parent.Name as ParentName, Pid, Name, CommandLine, Exe
FROM pslist()
LEFT JOIN pslist() AS Parent ON Parent.Pid = Ppid
WHERE Parent.Name =~ "(cursor|windsurf|Code|aider|cline).exe"
  AND (
    Name =~ "(7z|tar|gzip|winrar|expand).exe" OR 
    CommandLine =~ "-[xe]" OR 
    CommandLine =~ "extract"
  )

Remediation Script (PowerShell)

Since patching a specific CVE is not applicable here (this is a technique, not a bug), remediation focuses on scanning the environment for indicators of compromise (IOCs) associated with recently installed skills and auditing execution policies.

PowerShell
# Audit AI Agent Skill Directories for Suspicious Archives
# This script checks common directories for AI skills and flags high-entropy or archived files.

$aiPaths = @(
    "$env:USERPROFILE\.cursor\skills",
    "$env:USERPROFILE\.windsurf\extensions",
    "$env:APPDATA\Code\User\globalStorage",
    "$env:USERPROFILE\.aider"
)

$suspiciousExtensions = @(".zip", ".rar", ".7z", ".tar", ".gz")

Write-Host "[+] Scanning for suspicious packed files in AI Agent directories..."

foreach ($path in $aiPaths) {
    if (Test-Path $path) {
        Write-Host "[INFO] Scanning: $path"
        Get-ChildItem -Path $path -Recurse -Force -ErrorAction SilentlyContinue | 
        Where-Object { $_.Extension -in $suspiciousExtensions -or $_.Name -match "sfx|self-extract" } | 
        Select-Object FullName, Length, LastWriteTime | 
        Format-Table -AutoSize
    } else {
        Write-Host "[INFO] Path not found: $path"
    }
}

Write-Host "[+] Audit Complete. Review the list above for unauthorized archives."
Write-Host "[!] Recommendation: Restrict AI agents from executing binaries from temp directories."

Remediation

Mitigating the SkillCloak technique requires a shift from "scan-at-rest" to "validate-at-runtime."

  1. Implement Runtime Application Self-Protection (RASP): Deploy RASP solutions specifically around AI agent processes to monitor for unpacking behaviors or unauthorized child process creation.
  2. Enable Behavioral Heuristics: Update your endpoint detection and response (EDR) policies to flag when development tools (IDEs, AI agents) spawn archiving utilities like 7-Zip or tar. While legitimate developers do this, an AI agent doing it autonomously is a high-fidelity anomaly.
  3. Sandbox Execution: Execute unverified AI skills in a hardened, ephemeral sandbox environment before allowing them to interact with the main codebase. The sandbox must monitor runtime behavior, not just static file attributes.
  4. Strict Allowlisting: Maintain a strict allowlist of authorized skills. In high-security environments, disable the ability for AI agents to download and install skills from open repositories automatically.
  5. Update Scanner Logic: If you maintain an internal scanner for these tools, integrate a runtime extraction step to force the payload to reveal itself before static analysis occurs.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionai-securityskillcloaksupply-chainevasionmalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.