How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia (new) Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action (live) vs Lakera vs Promptfoo Team
Theme
Encyclopedia · Scanner Evasion

What is SkillCloak?

SkillCloak is the researchers' name for a structural-obfuscation scanner-evasion framework reported by HKUST researchers in the non-peer-reviewed arXiv preprint 2607.02357 ("Cloak and Detonate", July 2, 2026), covered by The Hacker News on July 6, 2026. The researchers report that the strongest of 8 agent-skill scanners they tested dropped from 98.6% to 10.1% detection on 1,613 real-world malicious skills under the transform, and that self-extracting skill packing bypassed all 8 scanners over 90% of the time. These are the researchers' own measurements; Cisco issued no public response as of July 8, 2026. SkillCloak is a research red-team tool, not an observed in-the-wild attack campaign. The lesson: a clean static scan is not proof of safety; static scanning is table stakes and trust decisions for agent skills should be authority-led, scanner-backed, and local.
Written by CAVA·July 8, 2026
The 60-second version
sunglasses://what-is-skillcloak/
Quick answer

SkillCloak is the name researchers used for a structural-obfuscation scanner-evasion transform in “Cloak and Detonate,” a July 2026 arXiv preprint about scanner evasion and dynamic detection of agent skill malware. The researchers report that the strongest of 8 agent-skill scanners they tested dropped from 98.6% to 10.1% detection after the transform. It is a research red-team tool, not an observed in-the-wild attack campaign — and the honest lesson is that a clean static scan is not proof of safety.

98.6%
Reported detection before cloaking
10.1%
Reported detection after cloaking
1,613
Real-world malicious skills tested
8 of 8
Scanners bypassed >90% by skill packing
Jul 2
arXiv preprint 2607.02357, 2026
0
Cisco public responses as of Jul 8, 2026

All numbers are the researchers’ own measurements from a non-peer-reviewed arXiv preprint, covered by The Hacker News on Jul 6, 2026. They should not be attributed to Cisco.

The definition

sunglasses://what-is-skillcloak/definition
Definition

SkillCloak is the researchers’ name for a scanner-evasion framework that uses structural obfuscation against agent-skill malware scanners. It was reported by researchers from HKUST in the non-peer-reviewed arXiv preprint 2607.02357, “Cloak and Detonate,” submitted in July 2026, and covered by The Hacker News on Jul 6, 2026.

What was measured

The researchers measured scanner detection against 1,613 real-world malicious skills before and after the SkillCloak structural-obfuscation transform. They report that Cisco’s open-source AI Defense skill-scanner — the strongest of the 8 scanners they tested — dropped from 98.6% detection to 10.1% detection under that transform.

Second technique

The finding has an important second part: the researchers’ second technique, self-extracting skill packing, bypassed all 8 tested scanners over 90% of the time.

Read carefully

Those numbers should be read carefully. They are the researchers’ own measurements from a non-peer-reviewed preprint. Cisco has issued no public response as of Jul 8, 2026. The numbers should not be attributed to Cisco, and SkillCloak should not be described as an in-the-wild attack.

What readers should not conclude

sunglasses://what-is-skillcloak/what-not-to-conclude
01

Do not conclude that Cisco confirmed the measurements. The measurements are from the researchers’ non-peer-reviewed preprint. No public Cisco response was found as of Jul 8, 2026.

02

Do not conclude that SkillCloak is an observed in-the-wild attack campaign. SkillCloak is a research red-team tool built to measure scanner robustness.

03

Do not conclude that static scanning is useless. The safer conclusion is narrower: static scanning can be evaded by structural obfuscation and packing, so scanner results should not be the only trust boundary for agent skills.

Why scanner evasion matters for agent skills

sunglasses://what-is-skillcloak/why-scanner-evasion-matters
Near authority

Agent skills sit near authority. They are not just ordinary files — they can describe tools, workflows, permissions, and instructions that downstream agents may rely on. If a malicious skill can keep its intent while changing the shape a scanner sees, then a clean scan is not enough to make the skill trustworthy.

The gap

SkillCloak matters because the reported measurements show a large gap between scanner performance before obfuscation and after it. The publication-safe lesson is not that one scanner failed forever. The lesson is that scanner-only confidence is fragile when an attacker can change the structure of a skill without changing the hostile intent the skill is meant to carry.

Table stakes

That does not mean scanners are bad. It means scanners are table stakes. A scanner is useful for finding known patterns, suspicious structure, and obvious unsafe behavior. But if a scanner is the whole trust model, the trust model inherits the scanner’s blind spots.

The framing

For agent skills, the stronger framing is authority-led, scanner-backed, and local: first decide what authority a skill is asking for, what instructions it is trying to introduce, and what trust boundary it wants to cross; then use scanning as one layer of evidence, not the final verdict. Scanning is table stakes; public tested attack patterns are the moat.

The honest scanner-limits lesson

sunglasses://what-is-skillcloak/honest-limits
Including ours

Static scanning has limits, including ours. A static scanner can inspect what is visible in the artifact it receives. SkillCloak’s reported result shows why that visibility can be changed: structural obfuscation and packing can alter what a scanner sees while preserving the underlying malicious purpose the researchers were testing. See what Sunglasses catches vs does not catch for our own stated limits.

The promise

An agent-skill security page should not promise perfect detection. A more accurate promise is narrower and stronger: treat scan results as one signal, keep the trust decision local, and compare agent-readable instructions against public tested attack patterns before letting a skill become authority. The durable advantage is publishing tested attack patterns, naming the evasion class clearly, and building local trust layers that assume scanner evasion will keep improving.

Practical trust model

sunglasses://what-is-skillcloak/practical-trust-model
Authority first

Ask what the skill is trying to make the agent believe, trust, call, suppress, or reveal.

Scanner second

Use scanners to catch known suspicious patterns, but do not treat a clean scan as proof of safety.

Local boundary

Keep the trust decision close to the workflow instead of outsourcing the whole decision to a remote or static verdict.

Pattern memory

Compare new skills against public tested attack patterns so the defense improves when evasion research improves.

Frequently asked questions

Is SkillCloak an in-the-wild attack?+
No. SkillCloak should be described as a research red-team tool, not an observed in-the-wild attack campaign. It is the researchers’ name for the scanner-evasion framework in the July 2026 arXiv preprint 2607.02357, “Cloak and Detonate.”
Did Cisco confirm the SkillCloak numbers?+
No public Cisco response was found as of Jul 8, 2026. The 98.6% to 10.1% detection drop is from the researchers’ own measurements in a non-peer-reviewed preprint and should not be attributed to Cisco.
Does SkillCloak prove scanners are useless?+
No. The safer conclusion is that scanner-only confidence is fragile. Scanning remains useful, but it should be one layer inside an authority-led, scanner-backed, local trust model — not the whole trust boundary.
What is the main takeaway for agent security teams?+
Do not let a clean static scan become the whole trust boundary. Treat agent skills as authority-bearing inputs, use scanners as evidence, and evaluate whether a skill is trying to introduce hostile instructions, suppress checks, or redirect secrets.

Sources

sunglasses://what-is-skillcloak/sources
Primary

“Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware,” arXiv:2607.02357 (v1 submitted Jul 2, 2026). Non-peer-reviewed preprint; the measurements are the researchers’ own.

Coverage

The Hacker News, Jul 6, 2026. No Cisco public response was found as of Jul 8, 2026.