Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis

Zhiyuan Li, Jingzheng Wu, Xiang Ling, Xing Cui, Tianyue Luo

Abstract

Agent Skills is an emerging open standard that defines a modular, filesystem-based packaging format enabling LLM-based agents to acquire domain-specific expertise on demand. Despite rapid adoption across multiple agentic platforms and the emergence of large community marketplaces, the security properties of Agent Skills have not been systematically studied. This paper presents the first comprehensive security analysis of the Agent Skills framework. We define the full lifecycle of an Agent Skill across four phases -- Creation, Distribution, Deployment, and Execution -- and identify the structural attack surface each phase introduces. Building on this lifecycle analysis, we construct a threat taxonomy comprising seven categories and seventeen scenarios organized across three attack layers, grounded in both architectural analysis and real-world evidence. We validate the taxonomy through analysis of five confirmed security incidents in the Agent Skills ecosystem. Based on these findings, we discuss defense directions for each threat category, identify open research challenges, and provide actionable recommendations for stakeholders. Our analysis reveals that the most severe threats arise from structural properties of the framework itself, including the absence of a data-instruction boundary, a single-approval persistent trust model, and the lack of mandatory marketplace security review, and cannot be addressed through incremental mitigations alone.

Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis

Abstract

Agent Skills is an emerging open standard that defines a modular, filesystem-based packaging format enabling LLM-based agents to acquire domain-specific expertise on demand. Despite rapid adoption across multiple agentic platforms and the emergence of large community marketplaces, the security properties of Agent Skills have not been systematically studied. This paper presents the first comprehensive security analysis of the Agent Skills framework. We define the full lifecycle of an Agent Skill across four phases -- Creation, Distribution, Deployment, and Execution -- and identify the structural attack surface each phase introduces. Building on this lifecycle analysis, we construct a threat taxonomy comprising seven categories and seventeen scenarios organized across three attack layers, grounded in both architectural analysis and real-world evidence. We validate the taxonomy through analysis of five confirmed security incidents in the Agent Skills ecosystem. Based on these findings, we discuss defense directions for each threat category, identify open research challenges, and provide actionable recommendations for stakeholders. Our analysis reveals that the most severe threats arise from structural properties of the framework itself, including the absence of a data-instruction boundary, a single-approval persistent trust model, and the lack of mandatory marketplace security review, and cannot be addressed through incremental mitigations alone.

Paper Structure

This paper contains 29 sections, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. ChatGPT Plugins
  4. Model Context Protocol
  5. The Architecture of Agent Skills
  6. Package Structure
  7. Progressive Disclosure Loading Model
  8. Trust Model and Permission Scope
  9. Agent Skills Lifecycle and Attack Surface
  10. Threat Taxonomy
  11. T1: Supply Chain Compromise
  12. T2: Consent Abuse
  13. T3: Prompt Injection
  14. T4: Code Execution
  15. T5: Data Exfiltration
  16. ...and 14 more sections

Figures (3)

  • Figure 1: The Agent Skills architecture. Left: the filesystem layout of a Skill package within the agent's virtual machine, comprising SKILL.md, supplementary instruction files, and executable scripts. Right: the three-level progressive disclosure process, showing how Skill metadata ($m_i$), instructions ($\mathit{inst}_i$), and supplementary files ($f_{i,j}$) are loaded into the context window incrementally across Levels 1, 2, and 3.
  • Figure 2: The Agent Skills lifecycle and threat taxonomy. The horizontal axis represents the four lifecycle phases; the vertical axis organizes threats into three attack layers. Empty cells indicate that no threat in that layer originates at that phase.
  • Figure 4: The MedusaLocker Ransomware attack. The user-visible layer shows normal GIF creation behavior, while the invisible execution layer silently downloads and executes MedusaLocker ransomware through the bundled helper script.