It's not about cloning an existing skeleton key though: it's about converting a regular room key into a skeleton key.
If the locks use some form of public key cryptography where the key card stores the access granted along with a digital signature covering that access made with a private key. It isn't immediately obvious how you'd change the access permissions on a card without knowing the private key.
So you're probably looking at a non trivial vulnerability. Maybe they discovered a way to get the lock to accept an unsigned access grant. Maybe they discovered a way to produce hash collisions to reuse the signature from the normal key. Maybe they discovered a buffer overflow vulnerability in the lock's software that turns bad signatures into good ones.