Critical Security Flaw: AI Agent Skills Bypass Test Suite Scanners, Enabling RCE Attacks
Key Takeaways
- ▸AI agent skill installers copy entire skill directories verbatim to projects, including test files that bypass security scanners and analysis tools
- ▸Jest and Vitest's default configuration discovers test files recursively across the entire project, including within .agents/, .claude/, and .cursor/ directories, with no exclusion lists for these folders
- ▸Current security scanners analyze only SKILL.md documentation and explicitly declared scripts, missing malicious payloads hidden in test file format
Summary
Security research has uncovered a critical vulnerability in AI agent skill installation systems that allows remote code execution (RCE) through malicious test files hidden in skill packages. The attack exploits a gap between security scanners—which analyze skill documentation files—and test runners like Jest and Vitest, which automatically discover and execute test files anywhere in the project directory, including within skill directories. When developers install seemingly legitimate skills from public marketplaces like ClawHub, they unknowingly introduce executable payloads bundled as test files that run with full local permissions during routine test suite execution.
The vulnerability affects multiple AI agent platforms including Claude Code, Cursor, Codex CLI, and Gemini CLI, which all support SKILL.md-based skill installation. Current security solutions from vendors like Snyk, Cisco, and VirusTotal focus on analyzing skill documentation and instruction content, but none examine the test files bundled with skills. Test runners including Jest (v29+) and Vitest (v0.25.3+) are configured to discover tests in dot-prefixed directories (like .agents/, .claude/, .cursor/) by default, and neither maintains exclusion patterns for these agent directories. This creates a direct pathway from a malicious skill package to code execution on a developer's machine or CI/CD pipeline.
- The attack requires minimal deception: a well-documented skill with legitimate SKILL.md content can silently execute arbitrary code via beforeAll hooks in test files during npm test or CI/CD pipeline runs
Editorial Opinion
This vulnerability exposes a fundamental blind spot in the emerging AI agent ecosystem. While security vendors have raced to analyze skill instructions and documentation, they've overlooked that test runners treat bundled test files as first-class citizens. The issue isn't new (similar patterns have been exploited in other package ecosystems), but the rapid adoption of AI agent skills without mature security infrastructure creates significant risk. Developers and tool vendors must immediately implement exclusion patterns for agent directories in test runners and establish signature-based or behavioral analysis for skill payloads.
