Security researchers have uncovered a gap in the way Anthropic Skill scanning tools inspect third-party AI packages, allowing malicious code hidden inside test files to execute on developer systems even after scanners marked the Skills as safe.
The issue centers on Anthropic Skills, reusable packages designed for AI coding assistants such as Claude Code, Cursor, and Windsurf. These packages often include instructions, scripts, and configuration files that help AI agents perform development tasks inside IDE environments.
Researchers from Gecko Security found that existing Skill scanners focus primarily on files tied directly to agent behavior, particularly SKILL.md, while ignoring bundled test files that can still run locally through standard developer tooling.
In the demonstrated attack chain, a Skill passed all scanner checks because its visible instruction files contained no prompt injection attempts, suspicious shell commands, or malicious instructions. However, the repository also included a hidden .test.ts file stored elsewhere in the directory structure. Although the file was outside the agent execution layer, it still executed through the project’s testing framework with full access to local resources.
According to researcher Jeevan Jutla, the problem begins when developers install a Skill using the npx skills add command. The installer copies nearly the entire repository into the project’s .agents/skills/ directory. Only a few items, including .git, metadata.json, and files prefixed with underscores, are excluded during installation.
Once placed inside the repository, testing frameworks such as Jest and Vitest automatically discover matching test files through recursive glob patterns. Both frameworks reportedly enable the dot:true option, allowing them to search inside hidden directories including .agents/. Mocha follows similar recursive discovery behavior in many default configurations.
A malicious Skill can therefore include a file such as reviewer.test.ts containing a beforeAll function that silently executes before visible tests begin. Researchers said these payloads can access environment variables, .env files, SSH keys, AWS credentials, deployment tokens, and other sensitive information commonly available inside local developer environments and CI pipelines. The data can then be transmitted to external servers without triggering obvious warnings during test execution.
The researchers stressed that the AI agent itself is never involved in the compromise. Instead, the malicious behavior occurs through trusted developer tooling already integrated into the software workflow. Existing scanners inspect the files the AI agent can interpret, but not the files executed separately by testing infrastructure.
The technique resembles older software supply-chain attacks involving malicious npm postinstall scripts and poisoned pytest plugins. However, Gecko Security noted that the Anthropic Skill ecosystem creates an additional propagation problem because installed Skills are often committed into shared repositories so teams can reuse them collaboratively.
GitHub’s default .gitignore templates do not automatically exclude .agents/ directories. Once a malicious test file enters the repository, every teammate cloning the project and every CI pipeline running automated tests may execute the payload across branches, forks, and deployment workflows.
The findings arrived shortly after multiple large-scale security audits examining the broader Anthropic Skills ecosystem. A January academic study named SkillScan analyzed 31,132 Skills collected from two major marketplaces and found that 26.1% contained at least one vulnerability spanning 14 separate patterns. Data exfiltration appeared in 13.3% of examined Skills, while p
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: