Papers
Topics
Authors
Recent
Search
2000 character limit reached

SkillCloak: Multimodal Hidden Instruction Attack

Updated 4 July 2026
  • SkillCloak is a multimodal attack where malicious instructions are hidden in images bundled with rewritten skill documentation.
  • It exploits the integration of visual and textual cues in agent skill packages, enabling attackers to bypass traditional security scanners.
  • ExecScan, an execution-grounded defense, significantly reduces attack success rates by jointly analyzing text, code, and visual content.

Searching arXiv for the cited papers to ground the article in the latest preprints. SkillCloak is best understood as a paraphrase or alternate label for SkillCamo, the document-mediated multimodal hidden-instruction attack introduced in "Seeing Is Not Screening: Multimodal Hidden Instruction Attacks on Agent Skill Scanners" (Jia et al., 16 Jun 2026). In this threat model, an attacker packages a seemingly benign agent skill whose malicious operational instructions are concealed in images bundled with a skill package, while the surrounding documentation is rewritten so those images appear to be ordinary setup figures, workflow diagrams, screenshots, or usage examples. Because multimodal agents can jointly read text and images at runtime, the harmful payload is recoverable during execution even when current skill scanners rely primarily on textual artifacts, manifests, metadata, source code, permissions, and dependency signals. This establishes SkillCloak as a multimodal supply-chain attack on the skill layer of LLM agents rather than a conventional prompt-only or code-only exploit (Jia et al., 16 Jun 2026).

1. Conceptual position within the agent skill layer

Agentic systems increasingly rely on reusable procedural capabilities, or agentic skills, to execute long-horizon workflows. A formal definition given in "SoK: Agentic Skills -- Beyond Tool Use in LLM Agents" models a skill as

S=(C,Ï€,T,R),S = (C, \pi, T, R),

where CC is the applicability condition, π\pi is the executable policy, TT is the termination condition, and R=(name,params,returns)R=(name, params, returns) is the callable interface (Jiang et al., 24 Feb 2026). The same paper emphasizes that skills are reusable, executable, context-gated, and governable, and that the skill layer spans discovery, practice, distillation, storage, composition, evaluation, and update (Jiang et al., 24 Feb 2026).

Within that lifecycle, SkillCloak targets the packaging and distribution substrate. The main attack paper frames an agent skill as a package of artifacts—typically a SKILL.md document plus optional code and resources—that an LLM agent loads on demand (Jia et al., 16 Jun 2026). A plausible implication is that the attack surface arises precisely because skills are not merely prompts or tools, but packaged behavioral modules that can include documentation, executable logic, and auxiliary resources. This interpretation is consistent with the SoK’s design-pattern taxonomy, especially hybrid NL+code macros and plugin / marketplace distribution, both of which introduce risk from malicious packaging and supply-chain compromise (Jiang et al., 24 Feb 2026).

A common misconception is that SkillCloak denotes an image-only exploit. The attack paper states the opposite: the attack does not rely on the image alone, but on the joint interpretation of textual guidance and visual payload at execution time (Jia et al., 16 Jun 2026). Text alone may look harmless; the image alone may not look dangerous; the malicious behavior emerges when a multimodal agent combines them during skill use.

2. Formal skill-package model and attack construction

The attack is defined over a skill package represented as

S={M,C,R},\mathcal{S}=\{M,C,R\},

where MM is textual material such as SKILL.md and metadata, CC is executable code or scripts, and RR is auxiliary resources such as images and screenshots (Jia et al., 16 Jun 2026). From a benign base skill, the attacker constructs an adversarial package

S~={M~,Cb,R~},\tilde{\mathcal{S}}=\{\tilde{M}, C_b, \tilde{R}\},

where CC0 is rewritten documentation and CC1 adds an injected image CC2 carrying the hidden instruction (Jia et al., 16 Jun 2026). The objective is stated as

CC3

meaning that the skill remains malicious in execution while the scanner fails to flag it (Jia et al., 16 Jun 2026).

The pipeline begins with skill-context analysis. The original SKILL.md is analyzed to derive a structural context

CC4

where CC5 is the skill purpose, CC6 the section hierarchy, and CC7 layout-level insertion cues (Jia et al., 16 Jun 2026). This determines where an image can be inserted naturally.

The next step is image carrier construction. A harmful script CC8 is converted into a target command

CC9

then rendered as an image carrier π\pi0 (Jia et al., 16 Jun 2026). The paper defines three concealment strategies. In Full, the whole malicious instruction is embedded in the image. In Split, instruction fragments are divided between text and image, so only joint interpretation reconstructs the full instruction. In Cloze, key tokens are hidden in the image while the text provides a cloze-style context (Jia et al., 16 Jun 2026).

The image is then integrated through document semantic rewriting. Rather than inserting an isolated suspicious snippet, the whole SKILL.md is rewritten so the image appears as a normal part of the workflow:

Ï€\pi1

This makes the surrounding documentation naturally reference the image, so that it resembles a normal setup diagram or usage aid (Jia et al., 16 Jun 2026).

Finally, the paper introduces scanner-guided iterative refinement. The candidate skill is submitted to a scanner π\pi2; if flagged, the scanner’s output is compressed into rewrite feedback π\pi3, and the next version is generated by

Ï€\pi4

This progressively reduces suspicious surface cues while preserving the hidden visual payload (Jia et al., 16 Jun 2026).

3. Evasion mechanism and scanner blind spots

The empirical study in the attack paper finds that current defenses primarily rely on textual descriptions, manifests, and source code as the main signals for security analysis (Jia et al., 16 Jun 2026). More specifically, existing scanners mainly inspect textual artifacts, manifests, metadata, source code, permissions, and dependency signals (Jia et al., 16 Jun 2026). These defenses are effective against obvious malicious prompts in text, dangerous APIs or subprocess usage in code, suspicious dependencies, and direct prompt injection, but they leave image-based or multimodal content weakly examined (Jia et al., 16 Jun 2026).

SkillCloak exploits that asymmetry. Its malicious content is hidden in image resources, made plausible by the rewritten document, and only recoverable when multimodal reasoning reconstructs the intent at runtime (Jia et al., 16 Jun 2026). This creates what the paper calls a practical blind spot: harmful operational instructions hidden in images may bypass scanning while still being recoverable by multimodal agents during deployment (Jia et al., 16 Jun 2026).

The broader skill-security literature provides a supply-chain interpretation of this blind spot. The SoK identifies threats including poisoned skill retrieval, malicious skill payloads, cross-tenant leakage, skill drift exploitation, confused deputy via environmental injection, and applicability condition poisoning (Jiang et al., 24 Feb 2026). It also notes that malicious skill descriptions can look benign, that prompt-injection payloads may hide in natural-language skill text, and that overbroad applicability or malicious termination conditions can expand the attack surface (Jiang et al., 24 Feb 2026). SkillCloak extends this family of cloaking/evasion behaviors into the multimodal regime: the payload is concealed not only in language, but in the interaction between documentation and visual artifacts.

A second misconception is that the problem is unique to malicious images. A plausible implication is that the deeper issue is execution-time multimodal interpretation. This is reinforced by "VISUALSKILL: Multimodal Skills for Computer-Use Agents," which shows that multimodal agents can benefit when skill artifacts retain figures instead of verbalizing them away (Jiang et al., 16 Jun 2026). The same property that improves benign GUI skill use also enlarges the attack surface for hidden-in-image instructions.

4. ExecScan and execution-grounded multimodal defense

To defend against such attacks, the attack paper proposes ExecScan, an execution-grounded multimodal scanning framework (Jia et al., 16 Jun 2026). Its operational shift is from asking what a skill statically contains to asking what the skill would make an agent do. ExecScan jointly analyzes documentation, code, referenced resources, and visual content to recover hidden instructions, reconstruct executable behavior chains, and identify downstream risks such as exfiltration, destruction, persistence, deception, and privilege escalation (Jia et al., 16 Jun 2026).

The first stage is intent extraction. ExecScan infers the skill’s declared purpose, expected use cases, and access scope from SKILL.md, manifests, metadata, scripts, and bundled resources, producing a profile

Ï€\pi5

Here, π\pi6 summarizes the claimed purpose and access scope, π\pi7 reconstructs behavioral footprint, and π\pi8 estimates preliminary abuse risk (Jia et al., 16 Jun 2026).

The second stage is behavior reconstruction. ExecScan maps referenced scripts, files, environment access, and visual resources together. For images, it does not treat them as passive decorations; it asks whether they are functionally referenced by the workflow and whether they convey instruction-like content (Jia et al., 16 Jun 2026). This is the multimodal step that can surface hidden directives in images.

The third stage is abuse assessment. ExecScan evaluates whether the reconstructed behavior indicates exfiltration, destruction, persistence, deception, privilege escalation, or stealth (Jia et al., 16 Jun 2026). The assessment is grounded in concrete artifact evidence rather than surface wording.

The fourth stage is deliberative execution simulation. ExecScan constructs π\pi9 plausible usage scenarios TT0, then for each scenario recovers surface instructions TT1, latent instructions TT2 from images or cross-artifact composition, merges them into

TT3

and projects the execution chain

TT4

It then compares the risk of surface-only execution with the risk after latent instruction recovery:

TT5

The final detection score is

TT6

Thus a skill is flagged if any plausible execution path appears high-risk (Jia et al., 16 Jun 2026).

This defense model aligns with broader recommendations in the skill-systems literature. The SoK advocates trust-tiered execution, sandboxing, provenance signing, dependency auditing, continuous monitoring, and skill-native auditing tools such as Agent Skills Guard and SkillGuard (Jiang et al., 24 Feb 2026). A plausible implication is that ExecScan provides the multimodal, execution-grounded component that purely textual or code-centric auditing pipelines lack.

5. Experimental findings and empirical profile

The experiments in the attack paper are built on 100 benign base skills, 400 adversarial skills generated by four attacks per base skill, and 200 additional benign skills for false-positive evaluation (Jia et al., 16 Jun 2026). The evaluated scanners are Cisco Skill Scanner, HSS, Auditor, SlowMist, Vetter, SkillFortify, and ExecScan (Jia et al., 16 Jun 2026).

Against baseline scanners, SkillCamo achieves 78–100% ASR for the full-image variant, and the Cloze and Split variants still bypass multiple scanners at 20–97% (Jia et al., 16 Jun 2026). By contrast, ExecScan reduces ASR to 8% for the full-image SkillCamo variant, 31% for Cloze, and 17% for Split (Jia et al., 16 Jun 2026). The paper also reports that scanner-feedback iteration helps the attack against baselines, while ExecScan remains robust across iterations (Jia et al., 16 Jun 2026).

On adversarial plus benign evaluation, ExecScan achieves Precision: 85.6%, Recall: 82.0%, F1: 83.8%, and FPR: 27.4% (Jia et al., 16 Jun 2026). The paper states that this is the best overall trade-off among the evaluated scanners and that, compared with the next-best recall scanner, HSS, ExecScan improves recall by 17 points and reduces false positives by 63.5 points (Jia et al., 16 Jun 2026).

The ablation study isolates the role of multimodality. Removing visual analysis drops detection from 92% to 1%, showing that image reasoning is the key capability; removing execution simulation or multi-context reasoning hurts less, but still reduces robustness (Jia et al., 16 Jun 2026). The paper further reports that, with alternative models like claude-sonnet-4.6 or gemini-3-flash-preview, detection on the same 100 SkillCamo samples reaches 100% (Jia et al., 16 Jun 2026).

The malicious instruction pool used in the experiments includes payloads for environment exfiltration, SSH key dumping, cron-based persistence, network scanning, and Git credential exfiltration (Jia et al., 16 Jun 2026). This grounds the threat model in concrete downstream risks rather than abstract prompt manipulation.

6. Security implications, ecosystem relevance, and adjacent systems

The attack paper highlights several downstream risks enabled by hidden-in-image instructions: Exfiltration, Destruction, Persistence, Deception, and Privilege escalation (Jia et al., 16 Jun 2026). In the SoK’s broader framing, this fits the governance problem of skill-based agents, where marketplace-distributed or library-stored skills become a first-class software-like substrate requiring provenance, signing, verification, sandboxing, trust tiers, monitoring, and careful governance (Jiang et al., 24 Feb 2026).

The ClawHavoc case study in the SoK shows why the skill layer matters operationally. It reports 1,184 malicious skills found in the ClawHub registry, a separate audit finding 36.8% of published skills contained at least one security flaw, 12 publisher accounts involved, one account responsible for 677 packages, the top-downloaded skill artificially boosted by 4,000 fake downloads, and over 135,000 exposed OpenClaw instances across 82 countries (Jiang et al., 24 Feb 2026). The attack chain combined name squatting, malicious package distribution, prompt injection in documentation, confused deputy exploitation, and overbroad applicability (Jiang et al., 24 Feb 2026). A plausible implication is that SkillCloak should not be viewed as an isolated modality trick; it is a specialized multimodal extension of a broader skill supply-chain problem.

At the same time, multimodal skill artifacts are not inherently malicious. "VISUALSKILL: Multimodal Skills for Computer-Use Agents" presents a benign hierarchical multimodal skill library in which topic guides combine text with UI figures and are retrieved through a load_topic MCP tool (Jiang et al., 16 Jun 2026). That paper reports that retaining visual figures in the skill artifact can materially improve agent performance on GUI tasks (Jiang et al., 16 Jun 2026). The relevant distinction is not whether images are present, but whether scanners can analyze how textual workflow guidance and visual content jointly determine execution-time behavior.

Adjacent work on infrastructure also clarifies the limits of existing defenses. "SkCC: Portable and Secure Skill Compilation for Cross-Framework LLM Agents" treats SKILL.md as an emerging standard and introduces compile-time validation, Anti-Skill Injection, and platform-specific emission from a strongly typed intermediate representation (Ouyang et al., 5 May 2026). This suggests a complementary defense layer: static hardening and portability at compile time, combined with multimodal, execution-grounded scanning at security review time. A plausible implication is that secure skill ecosystems will require both compiler-style validation and agent-behavior reconstruction.

In summary, SkillCloak names a multimodal hidden-instruction attack in which malicious operational guidance is concealed in skill-bundled images and activated through jointly rewritten documentation and runtime multimodal interpretation (Jia et al., 16 Jun 2026). Its significance lies not only in scanner evasion, but in demonstrating that the skill artifact itself has become a multimodal attack surface.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SkillCloak.