Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities of existing static skill scanners used to detect malicious agent skills in LLM coding agents by introducing SkillCloak, an evasion framework that preserves attack semantics while altering payload appearance. Through two strategies鈥擲tructural Obfuscation and Self-Extracting Skill Packing鈥擲killCloak successfully bypasses over 90% of scanners, revealing the inadequacy of appearance-based defenses. In response, the authors propose SkillDetonate, a behavior-centric runtime auditor that achieves a 97% detection rate of attacks with only a 2% false-positive rate, demonstrating a significant advancement in dynamic detection methods for agent skill malware.
Static scanners fail against adaptive evasions, but a new behavior-centric auditor can detect 97% of malicious skills with minimal false positives.
LLM coding agents increasingly rely on third-party agent skills from public marketplaces, which execute with the agent's privileges and create a software supply-chain attack surface: a malicious skill can steal credentials, exfiltrate source code, or install backdoors. Existing defenses use static skill scanners based on pattern matching or LLM-as-judge analysis, but it remains unclear whether they withstand adaptive evasions that preserve malicious behavior while changing payload appearance. This paper first presents an adversarial study of existing skill scanners through SkillCloak, a payload-preserving evasion framework that keeps the attack semantics intact while transforming their visible form. SkillCloak uses two complementary strategies: Structural Obfuscation, which rewrites visible payload indicators into semantically equivalent forms, and Self-Extracting Skill (SFS) Packing, which hides malicious components from the install-time view and restores them during agent execution. Across eight scanners and 1,613 in-the-wild malicious skills, SFS Packing bypasses every scanner at over 90%, while Structural Obfuscation bypasses over 80% on most static scanners and reaches 96% on a hybrid scanner, showing that appearance-based auditing is insufficient. Motivated by this finding, we propose SkillDetonate, a behavior-centric runtime auditor that executes skills in a sandbox and detects malicious effects through OS-boundary information-flow evidence rather than install-time appearance. SkillDetonate combines on-demand closure lift, which observes instructions materialized during execution, with marker-based taint analysis, which tracks sensitive-data flows across the agent context, files, processes, and network operations. The results show that SkillDetonate detects 97% of attacks at a 2% false-positive rate and sustains 87% detection on real-world malicious skills.