AI Security AI安全 4d ago Updated 4d ago 更新于 4天前 51

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing SkillCloak让恶意AI代理技能通过自解压打包规避静态扫描器

SKILLCLOAK systematically bypasses static security scanners for AI agent skills using character substitution and self-extracting packing techniques that hide payloads in ignored directories. The self-extracting packing method evaded all tested scanners over 90% of the time, demonstrating that current static analysis defenses are largely ineffective against obfuscated malicious code. Researchers introduced SKILLDETONATE, a runtime behavioral checker that monitors OS-level actions and data flow, c 港科技大学研究揭示AI编程代理的“技能”(Skills)包可通过静态扫描器检测漏洞,攻击者可利用自解压打包等技术绕过安全审查。 提出SKILLCLOAK工具,通过字符替换或隐藏载荷至.git目录等方式,使恶意技能在保持功能不变的情况下成功绕过主流扫描器,逃逸率超过90%。 针对静态检测失效问题,提出SKILLDETONATE运行时沙箱检测方案,通过监控操作系统级行为而非文件外观,以较低误报率有效捕获伪装后的攻击。 现实市场中已存在大量利用类似混淆技巧的恶意技能,且存在“审查通过即运行”的信任假设缺陷,凸显了从静态签名检测转向动态行为分析的紧迫性。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • SKILLCLOAK systematically bypasses static security scanners for AI agent skills using character substitution and self-extracting packing techniques that hide payloads in ignored directories.
  • The self-extracting packing method evaded all tested scanners over 90% of the time, demonstrating that current static analysis defenses are largely ineffective against obfuscated malicious code.
  • Researchers introduced SKILLDETONATE, a runtime behavioral checker that monitors OS-level actions and data flow, catching 97% of attacks in controlled tests with a low false-positive rate.
  • Real-world evidence confirms that malicious actors are already exploiting similar evasion tactics in public AI skill marketplaces, such as ClawHub, to steal credentials and inject malware.
  • The study highlights a critical industry vulnerability: the disconnect between static approval processes and dynamic runtime execution allows attackers to deliver payloads that appear benign during review but execute maliciously.

Why It Matters

This research exposes a fundamental flaw in the security infrastructure supporting autonomous AI agents, specifically regarding third-party skill integration. As AI coding assistants become more prevalent, the ability to easily extend their capabilities via unvetted or poorly vetted plugins creates a significant attack surface for credential theft and system compromise. For practitioners and organizations adopting these tools, understanding that static scanning is insufficient necessitates a shift toward runtime monitoring and behavioral analysis to prevent supply chain attacks.

Technical Details

  • SKILLCLOAK Evasion Techniques: The tool employs two primary methods to bypass static scanners: "lighter" rewriting (swapping characters with look-alikes or splitting commands across newlines) and "heavier" self-extracting packing (moving payloads to skipped directories like .git/ and reconstructing them at runtime).
  • Benchmark Results: Tested against eight different scanners using 1,613 real malicious skills from ClawHub, the packing technique achieved a bypass rate of >90% across all scanners and >99% for most, while the rewriting technique cleared >80% on most and 96% on one.
  • SKILLDETONATE Runtime Checker: This proposed defense runs skills in a sandbox, tracking sensitive data flow at the OS level rather than relying on signature matching. It successfully detected 97% of attacks in controlled environments and 87% on real-world samples, maintaining effectiveness even against cloaked skills.
  • Performance Trade-offs: While SKILLDETONATE offers superior detection compared to static scanners (which dropped from 99% to ~10% efficacy after cloaking), it incurs a higher latency cost, taking minutes per skill versus seconds for static scans.
  • Real-World Validation: The study cites existing threats like the "ClawHavoc" campaign and specific evasive skills on ClawHub that use padding and hidden code delivery, confirming the practical applicability of the theoretical vulnerabilities.

Industry Insight

  • Shift to Behavioral Security: Organizations deploying AI agents must move beyond static code analysis for third-party integrations. Implementing runtime sandboxes and behavioral monitoring is essential to detect obfuscated payloads that evade traditional signature-based detection.
  • Supply Chain Vigilance: The ease with which malicious skills can be disguised suggests that public marketplaces for AI tools are high-risk vectors. Developers should prioritize vetting skills from trusted sources and assume that any unverified plugin may contain runtime-exploiting malware.
  • Architecture Review: The finding that scanners ignore certain directories (like .git/) reveals configuration blind spots. Security teams should audit their scanning configurations to ensure that ignored paths do not inadvertently allow malicious code execution, and consider enforcing stricter integrity checks on all loaded modules.

TL;DR

  • 港科技大学研究揭示AI编程代理的“技能”(Skills)包可通过静态扫描器检测漏洞,攻击者可利用自解压打包等技术绕过安全审查。
  • 提出SKILLCLOAK工具,通过字符替换或隐藏载荷至.git目录等方式,使恶意技能在保持功能不变的情况下成功绕过主流扫描器,逃逸率超过90%。
  • 针对静态检测失效问题,提出SKILLDETONATE运行时沙箱检测方案,通过监控操作系统级行为而非文件外观,以较低误报率有效捕获伪装后的攻击。
  • 现实市场中已存在大量利用类似混淆技巧的恶意技能,且存在“审查通过即运行”的信任假设缺陷,凸显了从静态签名检测转向动态行为分析的紧迫性。

为什么值得看

随着AI编程代理(如Claude Code, OpenAI Codex)广泛采用插件化“技能”扩展功能,其安全性成为关键隐患;本研究揭示了现有静态防御机制的系统性脆弱,为构建更鲁棒的AI代理生态系统提供了重要的攻防视角和安全架构参考。

技术解析

  • SKILLCLOAK混淆技术:包含两种策略。轻量级策略利用同形字符替换或命令换行分割,破坏扫描器的正则匹配模式但保留执行逻辑;重量级策略采用“自解压打包”,将恶意载荷隐藏在扫描器通常跳过的目录(如.git/)中,仅在运行时由解码器重建。
  • SKILLDETONATE运行时检测:摒弃基于文件内容的静态分析,转而采用沙箱环境监控技能运行时的OS级行为(读写操作、网络发送)。该技术通过追踪敏感数据流向而非识别特定代码特征,有效抵御Base64编码或加密等混淆手段。
  • 基准测试结果:在1,613个真实恶意技能上测试,自解压打包技巧对8款扫描器的逃逸率超90%,多数超99%;SKILLDETONATE在受控环境中捕获97%的攻击,误报率仅2%,但在真实世界恶意技能上的捕获率为87%。
  • 性能权衡:运行时检测虽比静态扫描慢(需数分钟 vs 数秒),但仅需在技能上线前执行一次,具备工程可行性。

行业启示

  • 防御范式转移:AI代理生态的安全防御必须从依赖静态特征匹配的“外观检查”转向基于运行时行为的“动态监控”,以应对日益复杂的代码混淆和动态加载攻击。
  • 供应链信任重构:公共市场中的技能包缺乏严格审核,且存在“审查后篡改”风险(如工具描述被污染),平台方需建立持续性的运行时验证机制,打破“一次审查,永久信任”的错误假设。
  • 开发者安全意识提升:在使用第三方AI代理技能时,应警惕那些包含异常大文件、隐藏目录或复杂初始化脚本的包,并优先选择支持沙箱隔离或行为审计的工具链。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Agent Agent Security 安全 Code Generation 代码生成 Research 科学研究