Papers
Topics
Authors
Recent
Search
2000 character limit reached

Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems

Published 12 May 2026 in cs.CR and cs.AI | (2605.11891v1)

Abstract: Agent skills extend LLM agents with reusable instructions, tool interfaces, and executable code, and users increasingly install third-party skills from marketplaces, repositories, and community channels. Because a skill exposes both executable behavior and context-setting documentation, its deployment risk cannot be measured by single-shot audits or prompt-level red teams alone: a realistic attacker can use audit and runtime feedback to repeatedly rewrite the skill. We frame this risk as \emph{adaptive leakage} -- whether a budgeted attacker can iteratively revise a skill until it passes audit and produces verified runtime harm -- and present \ours{}, a grey-box self-evolving red-team framework for measuring it. Proteus searches a formalized five-axis skill-attack space. Each candidate is evaluated through a unified audit-sandbox-oracle pipeline that returns structured audit findings and runtime evidence to guide cross-round mutation. Beyond initial evasion, Proteus performs path expansion, which finds alternative implementations of successful attacks, and surface expansion, which transfers learned implementation patterns to new attack objectives beyond the original seed catalogue. Across eight phase-1 cells, Proteus reaches 40--90\% Attack Success Rate at $5$ rounds (ASR@5) with positive learning-curve slopes on both evaluated auditors. Phase-2 path/surface expansion produces 438 jointly bypassing and lethal variants, with SkillVetter bypassed at $\geq 93\%$ in every cell and AI-Infra-Guard, the strongest public auditor we evaluate, still admitting up to 41.3\% joint-success. These results show that current skill vetting substantially underestimates residual risk when evaluated against adaptive, feedback-driven attackers.

Authors (1)

Summary

  • The paper introduces adaptive leakage and a closed-loop red team framework (Proteus) that iteratively mutates skills to bypass standard security audits.
  • The paper demonstrates that Proteus achieves 40–90% attack success rates with steep learning curves, outperforming baseline mutation strategies.
  • The paper highlights that structured, feedback-driven mutation significantly amplifies adversarial adaptation, raising systemic security concerns in agent skill ecosystems.

Proteus: Measuring Adaptive Leakage via Self-Evolving Red Teams for Agent Skill Auditing

Introduction and Context

The proliferation of LLM-driven agent skills—modular, third-party code and documentation packages that augment agent behavior—poses substantial security challenges for marketplaces, repositories, and deployment ecosystems. Traditional skill audits, dominated by static scans and prompt-level red teaming, are predominantly single-round, static analyses that do not model adaptive adversaries who learn from feedback and iteratively mutate their submissions. This omission potentially underestimates a key security risk: adaptive leakage, where an attacker, guided by audit and runtime diagnostics, iteratively revises a skill to bypass vetting while inducing verified runtime harm.

The paper "Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems" (2605.11891) formulates adaptive leakage as a concrete deployment risk, presenting Proteus, a defender-agnostic, closed-loop, feedback-driven red-team framework for adversarial evaluation of agent skill vetting pipelines.

Proteus Framework: System Architecture and Attack Surface

Proteus operationalizes the adaptive attack scenario through four coupled design elements:

  1. Defender-Agnostic Round Contract: Each candidate skill is evaluated over an audit–sandbox–oracle pipeline, yielding a decision quadruple: ⟨b,ℓ,F,R⟩\langle b, \ell, F, R\rangle, where bb marks audit bypass, ℓ\ell signals oracle-verified runtime lethality, FF is the structured audit finding list, and RR is synthesized runtime advice.
  2. Five-Axis Attack Surface: Proteus formalizes skill mutability over five axes: attack objective oo, skill-chain topology Ď„\tau, code cc, side-effect channel Îş\kappa, and documentation dd. This enables joint mutation of both code and documentation layers, encompassing substantially more adversarial flexibility than prompt-only attacks.
  3. Self-Evolving Red Team Agent: Implemented as a multi-tool LLM agent loop, the mutator consumes structured audit findings and runtime trace as in-context side information to generate cross-round mutations. Its toolset enables retrieval of benign skill exemplars, attack-log mining, repository context extraction, and code-offload primitives.
  4. Three-Layer Evolution Process: Proteus supports three nested search modes—free discovery (diversifying mutation vectors for a fixed objective and topology), path expansion (alternative implementations for a fixed objective), and surface expansion (pattern transfer across attack categories).

The attacker's capability crucially depends on the availability of greybox feedback: open-source auditors expose findings and rule rationale, enabling feedback-guided learning. Figure 1

Figure 1: Proteus system overview, showing graph-guided chain composition feeding the feedback-driven mutation agent operating within an audit–sandbox–oracle contract.

Methodology: Adaptive Feedback Loop and Graph-Guided Composition

Proteus utilizes a graph-guided chain composition mechanism, constructed from a large skill graph (e.g., ClawHub), to create coherent attack chains by composing skills along operationally plausible sourcebb0sink risk pathways. The agent accesses this graph to synthesize multi-hop skill attack chains that mimic benign workflows but embed adversarial intent, thereby evading heuristics based on narrative coherence or chain structure.

Each adaptive attack round proceeds as follows:

  • The mutator agent ingests prior round findings and runtime feedback.
  • It samples from its compositional and retrieval tools to propose a mutated skill variant, potentially incorporating benign skill exemplars, alternate attack primitives, or documentation rewrites.
  • The variant is evaluated through the pipeline, and detailed findings are aggregated into the per-run attack log.

Self-evolution is characterized by: (1) increasing attack success rates over rounds (ASR@t), (2) positive learning curve slope (LCS) reflecting per-round improvement, and (3) strategy diversity growth (SDG), measured by the cumulative count of unique mutation operator sets applied.

Experimental Evaluation: Attack Efficacy and Baseline Comparison

Evaluation Protocol

The evaluation spans multiple configurations using two public skill auditors—SkillVetter (SV) and Tencent AI-Infra-Guard (AIG)—against two target agent backbones (GLM-5 and GPT-5.4-mini) and two mutator LLMs (DeepSeek-V4-Pro and Kimi-2.6), covering a stratified catalog of attack types (e.g., data exfiltration, persistence, privilege escalation).

Across eight (mutator, target, defender) cells with bb1 seeds per cell and five attack rounds (bb2), Proteus demonstrates high attack success—achieving 40–90% ASR@5 depending on auditor and configuration. Figure 2

Figure 2: ASR@bb3 trajectories highlight rapid iterative bypass of both SkillVetter (top) and AIG (bottom), with consistently positive learning curve slopes, especially under stricter static-analysis auditors.

Proteus outperforms baseline attackers (random mutation, zero-shot LLM, scalar-feedback blackbox), which plateau at under 50% ASR@5 with negligible cross-round learning, whereas Proteus achieves both higher final ASR and an order-of-magnitude steeper learning slope (bb4 vs. bb5).

Expansion and Generalization

Path expansion (diverse instantiations of a single attack vector) and surface expansion (cross-category pattern transfer) result in 438 jointly bypassing, oracle-lethal skill variants. Notably, SkillVetter is bypassed at bb6 across all surface expansion cells, and the more robust AIG auditor admits up to 41.3% joint-success on the toughest configuration. Figure 3

Figure 3: Surface expansion metrics, showing the distribution of successful variants by attack objective and the split between path and surface expansion across configurations.

In a cross-auditor transfer test, 87.7% of AIG-evolved bb7 (bypass+lethal) skills also bypass SkillVetter without additional mutation. This confirms that adaptive leakage is not auditor-specific; red-teamers trained on one defender's feedback channel extract strategies that generalize across vetting implementations.

Analysis of Key Mechanisms

Feedback-Driven Mutation vs. Scalar Reward

Proteus demonstrates that detailed, structured feedback (reason codes, severity, evidence) used as in-context conditioning is substantially more effective than traditional scalar-reward RL paradigms. Ablation experiments show that providing only scalar accept/reject feedback slashes both success rate and learning efficiency, underscoring the risk of structured signal leakage through open-source or overly verbose audit feedback channels.

Chain-Topology and Attack Diversity

Graph-guided compositional reasoning, rather than unconstrained LLM generation, is critical for synthesizing attack chains that evade narrative and structural coherence checks employed by SOTA auditors. Forcing single-skill topology eliminates successful bypasses under stricter static auditors, validating the necessity of explicit chain-topology factorization in skill security evaluations. Figure 4

Figure 4: Histogram depicting the round index of first bb8 (bypass+lethal) per cell, highlighting that for AIG, feedback-driven adaptation is essential to break through the static-analysis audit floor.

Implications and Forward Outlook

Proteus empirically demonstrates that current agent-skill vetting practices significantly underestimate deployment risk under adaptive, feedback-driven attackers. The residual leakage—quantified by Proteus—persists even under the strongest public auditors evaluated, and successful attack motifs are transferable across audit implementations. This exposes two systemic concerns:

  • Structured Feedback Amplifies Adversarial Adaptation: The publication of structured audit findings (as promoted by open-source transparency norms) creates latent information channels that attackers can exploit for arbitrary cross-round improvement.
  • Auditor-Specific Fixation is Inadequate: Defensive interventions must avoid overfitting to current skill vetting paradigms, as transferable evasion emerges under sufficiently flexible adaptive attackers.

The practical implication is that agent-skill marketplaces and ecosystem maintainers must account for adversarial adaptation in their risk models, possibly by limiting the feedback granularity provided to submitters, integrating dynamic or ML-based anomaly detectors, and treating audit approval as only one link in a multilayered security chain.

Theoretically, Proteus frames adaptive leakage as a formal, measurable quantity, establishing new ground for future comparative evaluations of skill vetting systems and opening avenues for research on auditor hardening, dynamic defense, and adversarial coevolution.

Conclusion

Proteus defines an explicit benchmark for measuring adaptive attacker risk in agent skill ecosystems, showing attack success rates and learning curves far surpassing those observed in static or feedback-impoverished red-teaming settings. The evidence for high adaptive leakage, cross-auditor transferability, and the pivotal role of structured audit feedback points toward a pressing need for robustification of agent skill security pipelines. Future directions include symmetric auditor generalization, refined cost modeling, adversarial arms-race simulation, and integration of more diverse mutator models.


Reference:

"Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems" (2605.11891)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.