Recent research has uncovered vulnerabilities in AI skill scanners from industry leaders ClawHub, Cisco, and Vercel. The investigation reveals that these platforms can be easily bypassed, allowing the upload and distribution of malicious skills in public marketplaces. This situation highlights an escalating supply chain risk within agent ecosystems, where reusable components can execute harmful code and alter model behavior.
Techniques Used to Evade Detection
Trail of Bits researchers have demonstrated that attackers can circumvent detection using simple obfuscation and packaging techniques rather than complex exploits. One notable instance involved ClawHub, where over 100,000 newline characters were inserted to push malicious code beyond the scanner’s analysis range. This method effectively bypassed the inspection, allowing harmful logic to evade detection by integrated scanning engines like VirusTotal’s Code Insight.
Further examinations of Cisco’s open-source skill-scanner and Vercel’s skills.SH integrations identified additional vulnerabilities. These platforms utilize a combination of static analysis, pattern matching, and LLM-based inspection. However, when malicious content is hidden in less obvious formats, such as compiled Python bytecode or archive-based files, these defenses can be bypassed.
Real-World Exploits and Their Implications
One practical demonstration involved a text-formatting skill containing precompiled Python bytecode. While the visible source code seemed harmless, the bytecode extracted environment variables, enabling potential data theft. Because scanners focused on readable source files, the malicious payload went undetected.
Another method involved indirect execution paths, where a skill instructed an AI agent to retrieve operational logic from a document containing a hidden script. This approach bypassed both signature-based detection and LLM reasoning, as the malicious behavior was not exposed in the primary skill definition. Additionally, researchers used prompt injection to manipulate LLM-based scanners by disguising malicious configurations as standard enterprise setups.
Limitations and Recommendations
These findings underscore the limitations of current scanning methods. Static analysis struggles with complex or concealed file formats, while LLM-based systems can be deceived by cleverly framed instructions. Limitations such as narrow context windows and selective file inspection create exploitable blind spots.
The rapid expansion of public skill marketplaces compounds the issue, as these platforms often prioritize usability over stringent security controls, increasing exposure to malicious uploads. Trail of Bits researchers recommend adopting traditional supply chain security measures, such as curated repositories, strict access controls, and version pinning, to mitigate these risks.
In conclusion, automated scanning alone is insufficient to secure AI skill ecosystems. Until more robust safeguards are developed, organizations should view all public AI skills as potentially untrusted code and avoid deploying them in sensitive environments.
