BotBeat
...
← Back

> ▌

AnthropicAnthropic
RESEARCHAnthropic2026-03-11

Critical Security Flaw: AI Agent Skills Bypass Test Suite Scanners, Enabling RCE Attacks

Key Takeaways

  • ▸AI agent skill installers copy entire skill directories verbatim to projects, including test files that bypass security scanners and analysis tools
  • ▸Jest and Vitest's default configuration discovers test files recursively across the entire project, including within .agents/, .claude/, and .cursor/ directories, with no exclusion lists for these folders
  • ▸Current security scanners analyze only SKILL.md documentation and explicitly declared scripts, missing malicious payloads hidden in test file format
Source:
Hacker Newshttps://www.gecko.security/blog/rce-in-your-test-suite-ai-agent-skills-bypass-skill-scanners↗

Summary

Security research has uncovered a critical vulnerability in AI agent skill installation systems that allows remote code execution (RCE) through malicious test files hidden in skill packages. The attack exploits a gap between security scanners—which analyze skill documentation files—and test runners like Jest and Vitest, which automatically discover and execute test files anywhere in the project directory, including within skill directories. When developers install seemingly legitimate skills from public marketplaces like ClawHub, they unknowingly introduce executable payloads bundled as test files that run with full local permissions during routine test suite execution.

The vulnerability affects multiple AI agent platforms including Claude Code, Cursor, Codex CLI, and Gemini CLI, which all support SKILL.md-based skill installation. Current security solutions from vendors like Snyk, Cisco, and VirusTotal focus on analyzing skill documentation and instruction content, but none examine the test files bundled with skills. Test runners including Jest (v29+) and Vitest (v0.25.3+) are configured to discover tests in dot-prefixed directories (like .agents/, .claude/, .cursor/) by default, and neither maintains exclusion patterns for these agent directories. This creates a direct pathway from a malicious skill package to code execution on a developer's machine or CI/CD pipeline.

  • The attack requires minimal deception: a well-documented skill with legitimate SKILL.md content can silently execute arbitrary code via beforeAll hooks in test files during npm test or CI/CD pipeline runs

Editorial Opinion

This vulnerability exposes a fundamental blind spot in the emerging AI agent ecosystem. While security vendors have raced to analyze skill instructions and documentation, they've overlooked that test runners treat bundled test files as first-class citizens. The issue isn't new (similar patterns have been exploited in other package ecosystems), but the rapid adoption of AI agent skills without mature security infrastructure creates significant risk. Developers and tool vendors must immediately implement exclusion patterns for agent directories in test runners and establish signature-based or behavioral analysis for skill payloads.

AI AgentsCybersecurityAI Safety & AlignmentPrivacy & Data

More from Anthropic

AnthropicAnthropic
RESEARCH

Anthropic Study Reveals AI Agent Memory Retrieval Accuracy at Just 9%, Exposing Infrastructure Challenges

2026-07-04
AnthropicAnthropic
POLICY & REGULATION

Anthropic Receives Cease and Desist Over Claude Desktop Privacy Violations

2026-07-04
AnthropicAnthropic
RESEARCH

Research: How URLs in Prompts Can Influence LLM Outputs Toward Training Data

2026-07-03

Comments

Suggested

MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Aion' Project Reveals Vision for Copilot-First Operating System

2026-07-04
Google / AlphabetGoogle / Alphabet
RESEARCH

Stanford Researchers Use Multi-Agent AI and Reinforcement Learning to Improve HIP Kernel Generation for AMD GPUs

2026-07-04
LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us