AI Scanners Under Threat
Researchers at the Hong Kong University of Science and Technology have revealed that AI coding agents’ malicious add-on “skills” can easily bypass scanners designed to detect them. A recent study showed that simple alterations can help these skills evade detection while still functioning maliciously.
According to the study, over 90% of scanners failed to detect these altered skills. The team also developed a runtime checker capable of identifying most of the disguised skills that scanners miss.
How SkillCloak Bypasses Scanners
The tool developed by the researchers, known as SkillCloak, modifies malicious skills to appear benign while maintaining their harmful capabilities. SkillCloak employs two primary methods for this transformation.
The first method involves altering the skill’s code to evade pattern recognition by scanners. This is done by swapping characters for look-alikes or splitting commands across lines. The second method, self-extracting packing, hides the malicious payload in directories typically ignored by scanners, such as .git/. The payload is only revealed when the agent executes the skill.
Testing across eight scanners and over 1,600 real-world malicious skills showed that the packing method evaded detection more than 90% of the time, while the lighter rewriting method had an 80% success rate. Cloaked skills performed as effectively as their unaltered counterparts.
Behavioral Monitoring as a Solution
Given the ability of malicious skills to disguise their appearance, the researchers suggest a focus on behavioral monitoring. Their proposed tool, SkillDetonate, observes skills’ actions at the operating-system level, tracking data flows and running instructions only at runtime.
SkillDetonate proved effective in tests, catching 97% of attacks with a 2% false positive rate. In contrast, existing scanners had higher false-positive rates and decreased effectiveness against cloaked skills.
Although SkillDetonate is slower than traditional scanners, taking a few minutes per skill, it offers a more reliable defense by focusing on runtime behavior rather than static analysis.
Real-World Implications and Future Directions
Malicious skills are already prevalent in public marketplaces, with scanners failing to detect them. Bitdefender reported that 17% of skills on one marketplace contained hidden malware. Some of these employed tactics similar to those outlined in the study.
Cisco’s scanner, while effective against unaltered skills, failed to detect cloaked versions, catching only 10% post-alteration. These findings suggest that reliance on static scanning alone is insufficient for security.
To enhance security, the paper recommends combining static scanning with behavioral monitoring. By observing skills at runtime, organizations can better protect their systems from malicious activities.
In conclusion, while SkillCloak presents a significant threat to AI security, tools like SkillDetonate offer promising solutions. By focusing on behavior rather than appearance, organizations can fortify their defenses against increasingly sophisticated threats.
