- The paper introduces adaptive leakage and a closed-loop red team framework (Proteus) that iteratively mutates skills to bypass standard security audits.
- The paper demonstrates that Proteus achieves 40–90% attack success rates with steep learning curves, outperforming baseline mutation strategies.
- The paper highlights that structured, feedback-driven mutation significantly amplifies adversarial adaptation, raising systemic security concerns in agent skill ecosystems.
Proteus: Measuring Adaptive Leakage via Self-Evolving Red Teams for Agent Skill Auditing
Introduction and Context
The proliferation of LLM-driven agent skills—modular, third-party code and documentation packages that augment agent behavior—poses substantial security challenges for marketplaces, repositories, and deployment ecosystems. Traditional skill audits, dominated by static scans and prompt-level red teaming, are predominantly single-round, static analyses that do not model adaptive adversaries who learn from feedback and iteratively mutate their submissions. This omission potentially underestimates a key security risk: adaptive leakage, where an attacker, guided by audit and runtime diagnostics, iteratively revises a skill to bypass vetting while inducing verified runtime harm.
The paper "Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems" (2605.11891) formulates adaptive leakage as a concrete deployment risk, presenting Proteus, a defender-agnostic, closed-loop, feedback-driven red-team framework for adversarial evaluation of agent skill vetting pipelines.
Proteus Framework: System Architecture and Attack Surface
Proteus operationalizes the adaptive attack scenario through four coupled design elements:
- Defender-Agnostic Round Contract: Each candidate skill is evaluated over an audit–sandbox–oracle pipeline, yielding a decision quadruple: ⟨b,ℓ,F,R⟩, where b marks audit bypass, ℓ signals oracle-verified runtime lethality, F is the structured audit finding list, and R is synthesized runtime advice.
- Five-Axis Attack Surface: Proteus formalizes skill mutability over five axes: attack objective o, skill-chain topology Ď„, code c, side-effect channel Îş, and documentation d. This enables joint mutation of both code and documentation layers, encompassing substantially more adversarial flexibility than prompt-only attacks.
- Self-Evolving Red Team Agent: Implemented as a multi-tool LLM agent loop, the mutator consumes structured audit findings and runtime trace as in-context side information to generate cross-round mutations. Its toolset enables retrieval of benign skill exemplars, attack-log mining, repository context extraction, and code-offload primitives.
- Three-Layer Evolution Process: Proteus supports three nested search modes—free discovery (diversifying mutation vectors for a fixed objective and topology), path expansion (alternative implementations for a fixed objective), and surface expansion (pattern transfer across attack categories).
The attacker's capability crucially depends on the availability of greybox feedback: open-source auditors expose findings and rule rationale, enabling feedback-guided learning.
Figure 1: Proteus system overview, showing graph-guided chain composition feeding the feedback-driven mutation agent operating within an audit–sandbox–oracle contract.
Methodology: Adaptive Feedback Loop and Graph-Guided Composition
Proteus utilizes a graph-guided chain composition mechanism, constructed from a large skill graph (e.g., ClawHub), to create coherent attack chains by composing skills along operationally plausible sourceb0sink risk pathways. The agent accesses this graph to synthesize multi-hop skill attack chains that mimic benign workflows but embed adversarial intent, thereby evading heuristics based on narrative coherence or chain structure.
Each adaptive attack round proceeds as follows:
- The mutator agent ingests prior round findings and runtime feedback.
- It samples from its compositional and retrieval tools to propose a mutated skill variant, potentially incorporating benign skill exemplars, alternate attack primitives, or documentation rewrites.
- The variant is evaluated through the pipeline, and detailed findings are aggregated into the per-run attack log.
Self-evolution is characterized by: (1) increasing attack success rates over rounds (ASR@t), (2) positive learning curve slope (LCS) reflecting per-round improvement, and (3) strategy diversity growth (SDG), measured by the cumulative count of unique mutation operator sets applied.
Experimental Evaluation: Attack Efficacy and Baseline Comparison
Evaluation Protocol
The evaluation spans multiple configurations using two public skill auditors—SkillVetter (SV) and Tencent AI-Infra-Guard (AIG)—against two target agent backbones (GLM-5 and GPT-5.4-mini) and two mutator LLMs (DeepSeek-V4-Pro and Kimi-2.6), covering a stratified catalog of attack types (e.g., data exfiltration, persistence, privilege escalation).
Across eight (mutator, target, defender) cells with b1 seeds per cell and five attack rounds (b2), Proteus demonstrates high attack success—achieving 40–90% ASR@5 depending on auditor and configuration.
Figure 2: ASR@b3 trajectories highlight rapid iterative bypass of both SkillVetter (top) and AIG (bottom), with consistently positive learning curve slopes, especially under stricter static-analysis auditors.
Proteus outperforms baseline attackers (random mutation, zero-shot LLM, scalar-feedback blackbox), which plateau at under 50% ASR@5 with negligible cross-round learning, whereas Proteus achieves both higher final ASR and an order-of-magnitude steeper learning slope (b4 vs. b5).
Expansion and Generalization
Path expansion (diverse instantiations of a single attack vector) and surface expansion (cross-category pattern transfer) result in 438 jointly bypassing, oracle-lethal skill variants. Notably, SkillVetter is bypassed at b6 across all surface expansion cells, and the more robust AIG auditor admits up to 41.3% joint-success on the toughest configuration.
Figure 3: Surface expansion metrics, showing the distribution of successful variants by attack objective and the split between path and surface expansion across configurations.
In a cross-auditor transfer test, 87.7% of AIG-evolved b7 (bypass+lethal) skills also bypass SkillVetter without additional mutation. This confirms that adaptive leakage is not auditor-specific; red-teamers trained on one defender's feedback channel extract strategies that generalize across vetting implementations.
Analysis of Key Mechanisms
Feedback-Driven Mutation vs. Scalar Reward
Proteus demonstrates that detailed, structured feedback (reason codes, severity, evidence) used as in-context conditioning is substantially more effective than traditional scalar-reward RL paradigms. Ablation experiments show that providing only scalar accept/reject feedback slashes both success rate and learning efficiency, underscoring the risk of structured signal leakage through open-source or overly verbose audit feedback channels.
Chain-Topology and Attack Diversity
Graph-guided compositional reasoning, rather than unconstrained LLM generation, is critical for synthesizing attack chains that evade narrative and structural coherence checks employed by SOTA auditors. Forcing single-skill topology eliminates successful bypasses under stricter static auditors, validating the necessity of explicit chain-topology factorization in skill security evaluations.
Figure 4: Histogram depicting the round index of first b8 (bypass+lethal) per cell, highlighting that for AIG, feedback-driven adaptation is essential to break through the static-analysis audit floor.
Implications and Forward Outlook
Proteus empirically demonstrates that current agent-skill vetting practices significantly underestimate deployment risk under adaptive, feedback-driven attackers. The residual leakage—quantified by Proteus—persists even under the strongest public auditors evaluated, and successful attack motifs are transferable across audit implementations. This exposes two systemic concerns:
- Structured Feedback Amplifies Adversarial Adaptation: The publication of structured audit findings (as promoted by open-source transparency norms) creates latent information channels that attackers can exploit for arbitrary cross-round improvement.
- Auditor-Specific Fixation is Inadequate: Defensive interventions must avoid overfitting to current skill vetting paradigms, as transferable evasion emerges under sufficiently flexible adaptive attackers.
The practical implication is that agent-skill marketplaces and ecosystem maintainers must account for adversarial adaptation in their risk models, possibly by limiting the feedback granularity provided to submitters, integrating dynamic or ML-based anomaly detectors, and treating audit approval as only one link in a multilayered security chain.
Theoretically, Proteus frames adaptive leakage as a formal, measurable quantity, establishing new ground for future comparative evaluations of skill vetting systems and opening avenues for research on auditor hardening, dynamic defense, and adversarial coevolution.
Conclusion
Proteus defines an explicit benchmark for measuring adaptive attacker risk in agent skill ecosystems, showing attack success rates and learning curves far surpassing those observed in static or feedback-impoverished red-teaming settings. The evidence for high adaptive leakage, cross-auditor transferability, and the pivotal role of structured audit feedback points toward a pressing need for robustification of agent skill security pipelines. Future directions include symmetric auditor generalization, refined cost modeling, adversarial arms-race simulation, and integration of more diverse mutator models.
Reference:
"Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems" (2605.11891)