Papers
Topics
Authors
Recent
Search
2000 character limit reached

Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems

Published 13 Jun 2026 in cs.CR and cs.AI | (2606.15242v1)

Abstract: Skills are becoming the capability layer through which LLM agents turn plans into actions, but their use introduces security risks such as data leakage, unauthorized operations, and tool misuse. Existing vetting usually evaluates each skill in isolation, while real agent tasks often invoke multiple skills in a shared execution context. This creates Skill Composition Risk (SCR): a skill that appears benign alone can become harmful when its outputs, trust signals, authorization cues, or side effects influence later invocations along an activated path. We introduce SCR-Bench to evaluate this risk in controlled, sandboxed skill environments. Rather than relying only on textual intent or surface behavior, SCR-Bench records downstream state changes and path-level outcomes across composed skill executions. It contains three sub-benchmarks: SCR-CapFlow for capability-flow composition, SCR-TrustLift for trust-transfer composition, and SCR-AuthBlur for authorization-confusion composition. Across SCR-Bench, composed paths expose risks that are largely absent under isolated evaluation. In SCR-CapFlow, attack success rate reaches 33.6 percent under composition, compared with near-zero isolated baselines. In SCR-TrustLift, attack success rate exceeds 96.5 percent on four of five backends. In SCR-AuthBlur, the risky-approval rate increases by 71.8 percent relative to the L0 isolated baseline under the L1 context setting. These results show that agent skill security should be assessed at the level of activated paths rather than isolated artifacts. SCR and SCR-Bench provide a foundation for path-aware risk evaluation and defense in LLM agent skill ecosystems. Benchmark: https://github.com/saint-viperx/SCR_Bench.

Summary

  • The paper introduces Skill Composition Risk (SCR), demonstrating that individually safe skills can be combined to form unauthorized data access and privilege escalation paths.
  • It presents SCR-Bench, evaluating three risk mechanisms—capability flow, trust transfer, and authorization confusion—under controlled sandbox environments.
  • Experimental results reveal drastic increases in attack success rates when skills are composed, challenging traditional artifact-level security vetting and calling for path-level analysis.

Path-Level Security Risks in Skill-Based LLM Agent Ecosystems

Introduction

The paper "Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems" (2606.15242) provides a comprehensive formulation and empirical evaluation of a critical security gap in agentic AI ecosystems: skills that are individually benign may, when composed under shared execution context, create pathways that enable unauthorized data access, privilege escalation, and tool misuse. This gap, termed Skill Composition Risk (SCR), challenges the prevailing paradigm of artifact-level vetting and necessitates a shift to path-level security assessment. The authors introduce SCR-Bench, the first experimental suite designed to measure this compositional security risk across three representative mechanisms—capability flow, trust transfer, and authorization confusion—in controlled sandboxed environments. Figure 1

Figure 1: Path-level risk in SCR: three skills, safe under isolated review, can together expose sensitive resources via capability flow, trust transfer, or authorization confusion.

SCR Formulation: Context-Dependent Composition Risks

The paper formalizes SCR using a directed, context-dependent composition graph, Gh=(V,Eh)G_h=(V,E_h), where the vertices VV represent agent skills and the edges EhE_h encode feasible composition relationships under a given task context hh. The authors demonstrate that the real attack surface is not at the node (individual skill) level, but in activated paths π\pi within GhG_h, where intermediate artifacts (outputs, trust signals, authorization cues) are passed between skills. The effective path risk is defined as rπ(h)=aπ(h)qπ(h)r_\pi(h)=a_\pi(h)q_\pi(h), separating the activation probability from the conditional probability of reaching a harmful downstream state.

Three primary risk mechanisms are instantiated:

  • Capability Flow: Upstream discovery skills identify operational targets for downstream execution skills, enabling privilege amplification even though neither endpoint skill is harmful in isolation.
  • Trust Transfer: Security-oriented skills emit endorsements that, when reused as legitimacy signals, reduce scrutiny for downstream high-risk actions (e.g., installation of vulnerable or malicious modules).
  • Authorization Confusion: Advisory or audit-like skill outputs are misinterpreted by downstream logic as approval cues, shifting agent decision boundaries toward unsafe states. Figure 2

    Figure 2: Path-level composition in SCR-Bench: mechanisms—capability flow, trust transfer, authorization confusion—operationalize compositional harm from otherwise safe skills.

SCR-Bench: Operationalizing Path-Level Evaluation

SCR-Bench is constructed as a set of sub-benchmarks, each aligning with one of the risk mechanisms and explicitly separating skill-local capability from compositional context. The evaluation metric is binary: success is counted only upon observable downstream state change in a sandboxed environment, not mere textual description or invocation.

  • SCR-CapFlow pairs discovery and execution skills, testing whether the agent transfers operational targets in composition. The experiment strictly requires side-effects to apply to the actual upstream-discovered target.
  • SCR-TrustLift evaluates whether upstream trust signals alter downstream high-risk installation decisions—measuring the lift in attack success rate (ASR) between the control and endorsed conditions.
  • SCR-AuthBlur assesses how upstream advisory context (of varying semantic strength) modulates the agent's risky approval rate.

Experimental Results and Key Findings

The empirical evaluation across diverse LLM backends demonstrates substantial compositional security failures:

  • SCR-CapFlow: In isolated review, ASR is near zero (0–1.4%). Under composition, ASR rises sharply, averaging 33.6% (neutral) and 35.9% (explicit), reaching >90% for DeepSeek-V4. This highlights that privilege amplification is not sufficiently captured by local skill inspection; composition enables boundary crossing.
  • SCR-TrustLift: Four out of five backends reach near-saturation ASR (96.51–100%) when trust signals are present, compared with zero or trivial ASR in control. The average lift is 82.8 percentage points. The implication is direct: benign security skills can unintentionally legitimize malicious downstream actions via trust-transfer effects.
  • SCR-AuthBlur: Risky approval rates increase from 15.7% (control) to 27% (related context) and 34% (authorization-like context), with backend-dependent amplification (up to +41.1 percentage points). Even ordinary advisory context elevates approval risk by agent misinterpretation, confirming context pollution as a practical attack vector.

These results invalidate the sufficiency of artifact-level vetting for agentic skill ecosystems. Path-level context, semantic signal propagation, and compositional boundary confusion must be incorporated into threat models and security evaluation.

Practical and Theoretical Implications

This work redefines the security boundary for LLM agentic skill ecosystems:

  • Artifact-level vetting is necessary but structurally insufficient. SCR demonstrates that emergent harm appears when individually-safe skills are composed in agent workflows.
  • Path-aware, context-dependent analysis is required. Security review must shift from node-level inspection to activated path evaluation, accounting for all intermediate artifacts arising from skill interactions.
  • Defense strategies must address composition, not just containment. Runtime interposition, path auditing, and compositional capability confinement are required. Static analysis, semantic triage, and formal abstraction (e.g., as in SkillScan, SkillSieve, SkillFortify) must extend to path-enabled threat surfaces.
  • Benchmarking and evaluation must include compositional attack surfaces. Standard benchmarks and attack models should adopt context-activated path metrics as primary risk indicators.

Theoretically, SCR opens avenues for compositional formal verification, graph-theoretic threat modeling, and dynamic runtime auditing. As agent skill registries and open marketplaces proliferate, multilayer path inspection will become a foundational security primitive.

Future Directions

Key open questions include:

  • Scaling SCR-Bench to open, heterogeneous skill ecosystems. Real-world agentic platforms will require robust, interpretable path evaluation frameworks.
  • Automated path discovery and risk amplification analysis. As the number of candidate skill paths grows (scaling as O(nk)O(n^k) for length-kk paths), compositional attack surfaces may dominate agentic workflow risk landscapes.
  • Semantic intent fragmentation and formal compositional policy enforcement. Distinct from plan-level intent decomposition, the next evolution is incorporating semantic and operational dependency analysis for skill artifacts.
  • Integration with runtime defense primitives. Path-aware pre-execution firewalls, compositional capability restriction (e.g., AEGIS, ClawGuard), and multi-hop privilege amplification blocking remain urgent translational targets.

Conclusion

The identification and operationalization of Skill Composition Risk (SCR) via SCR-Bench demonstrates that benign skills in isolation are insufficient for agentic security. Composed execution paths enable rapid amplification of privilege, trust, and approval risk, invalidating the node-level security boundary paradigm. Path-aware review, activated context analysis, and composition-driven defense mechanisms are essential for reliable skill-enabled LLM agents. This work establishes path-level scrutiny as a necessary security primitive in evolving agent skill ecosystems.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.