Technical description
Researchers at Zhejiang University disclosed Semantic Compliance Hijacking (SCH), a payload-less supply chain attack targeting autonomous coding agents. The attack translates malicious goals into unstructured natural language instructions formatted as compliance rules, causing agents to generate and execute unauthorized code at runtime. Because SCH omits recognizable code payloads and Abstract Syntax Tree signatures, manipulated skill files maintained a 0.00% detection rate against current scanning tools.
Attack vector
Attackers embed natural-language instructions disguised as necessary compliance rules within agent skill description files distributed through marketplaces like ClawHub. When an agent loads the skill, it treats the embedded instructions as authoritative operational directives and synthesizes malicious code dynamically. The attack achieved peak success rates of 77.67% for confidentiality breaches and 67.33% for remote code execution across three mainstream agent frameworks (OpenClaw, Claude Code, Codex) and three foundation models.
Affected systems
AI agent frameworks that load third-party skills from open marketplaces, including OpenClaw, Claude Code, Codex, and similar agentic systems with skill-loading architectures. The attack bypasses current Static Application Security Testing (SAST) tools and skill scanners like SkillScan.
Mitigation
Transition from signature-based skill scanning to semantic intent validation. Audit skill sources and restrict skill installation to vetted repositories. Implement runtime monitoring of agent-generated code before execution. Apply least-privilege execution contexts for agent workloads. Review agent system-level privileges—file system access, shell command execution, network connectivity—and enforce sandboxing where feasible.