Malicious Agent Skills in the Wild: A Large-Scale Security Empirical Study

Abstract

Third-party agent skills extend LLM-based agents with instruction files and executable code that run on users' machines. Skills execute with user privileges and are distributed through community registries with minimal vetting, but no ground-truth dataset exists to characterize the resulting threats. We construct the first labeled dataset of malicious agent skills by behaviorally verifying 98,380 skills from two community registries, confirming 157 malicious skills with 632 vulnerabilities. These attacks are not incidental. Malicious skills average 4.03 vulnerabilities across a median of three kill chain phases, and the ecosystem has split into two archetypes: Data Thieves that exfiltrate credentials through supply chain techniques, and Agent Hijackers that subvert agent decision-making through instruction manipulation. A single actor accounts for 54.1\% of confirmed cases through templated brand impersonation. Shadow features, capabilities absent from public documentation, appear in 0\% of basic attacks but 100\% of advanced ones; several skills go further by exploiting the AI platform's own hook system and permission flags. Responsible disclosure led to 93.6\% removal within 30 days. We release the dataset and analysis pipeline to support future work on agent skill security.

Repository Summary

This work focuses specifically on deliberately malicious skills, building a large-scale auditing pipeline and dataset to identify concrete attack behaviors such as credential theft, agent hijacking, and other ecosystem-level abuse patterns.

Bibliographic Data

Title

Malicious Agent Skills in the Wild: A Large-Scale Security Empirical Study

Authors

Yi Liu, Zhihao Chen, Yanjun Zhang, Gelei Deng, Yuekang Li, Jianting Ning, Ying Zhang, Leo Yu Zhang

Publication date

2026/02/06

Identifier

arXiv:2602.06547

DOI

10.48550/arXiv.2602.06547

PDF size

517 KB