New SkillCloak Technique Lets Malicious Alexa Skills Bypass Amazon Security and Steal User Data
Researchers at the Hong Kong University of Science and Technology have discovered a significant vulnerability in how security scanners evaluate AI coding assistant extensions, commonly called skills. These add-on tools for platforms like Claude Code and OpenAI Codex operate with the same system privileges as the AI agent itself, meaning a compromised skill can access passwords, steal source code, or install persistent backdoors. The research team developed a tool called SKILLCLOAK that demonstrates how easily malicious skills can evade detection by altering their code structure or hiding harmful components in ignored directories like .git folders that only execute after passing initial security checks. In testing against eight commercial scanners using over 1,600 malicious samples, these evasion techniques achieved bypass rates exceeding ninety percent and often reaching ninety-nine percent effectiveness.
To address this critical gap, the same researchers created SKILLDETONATE, a behavioral analysis tool that monitors skills in real time within a secure sandbox environment rather than relying solely on static file inspection. This dynamic approach tracks data flows and command execution as they happen, successfully detecting ninety-seven percent of attacks in controlled testing and eighty-seven percent of real-world malicious skills even when disguised. By contrast, the strongest conventional scanner tested, made by Cisco, dropped from ninety-nine percent detection on unaltered threats to just ten percent once evasion techniques were applied. The trade-off is execution time, with behavioral analysis requiring several minutes per skill compared to mere seconds for traditional scanning methods.
This threat is not theoretical. Security researchers have documented that a substantial number of publicly available skills already contain hidden malicious code, with some attackers deliberately padding file sizes to exceed scanner processing limits. Similar exploitation patterns have appeared across GitHub repositories and Microsoft development tools, where harmful payloads activate only after runtime begins and initial security validation has concluded. Although this research remains in preprint status awaiting peer review, it demonstrates that the security model for AI agent extensions requires fundamental rethinking beyond static analysis alone.
Organizations relying on AI coding assistants should implement layered defenses that combine traditional scanning with runtime behavioral monitoring. Additional protective measures include enforcing strict permission controls on AI agents, limiting skill sources to verified publishers, and isolating these systems from environments containing sensitive data. The research makes clear that as AI assistants become more capable and integrated into development workflows, their extension ecosystems present an expanding attack surface that conventional security tools were not designed to address effectively.
Stay secure — stay Wavasec. 🔐