- The paper introduces Skill Composition Risk (SCR), demonstrating that individually safe skills can be combined to form unauthorized data access and privilege escalation paths.
- It presents SCR-Bench, evaluating three risk mechanisms—capability flow, trust transfer, and authorization confusion—under controlled sandbox environments.
- Experimental results reveal drastic increases in attack success rates when skills are composed, challenging traditional artifact-level security vetting and calling for path-level analysis.
Path-Level Security Risks in Skill-Based LLM Agent Ecosystems
Introduction
The paper "Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems" (2606.15242) provides a comprehensive formulation and empirical evaluation of a critical security gap in agentic AI ecosystems: skills that are individually benign may, when composed under shared execution context, create pathways that enable unauthorized data access, privilege escalation, and tool misuse. This gap, termed Skill Composition Risk (SCR), challenges the prevailing paradigm of artifact-level vetting and necessitates a shift to path-level security assessment. The authors introduce SCR-Bench, the first experimental suite designed to measure this compositional security risk across three representative mechanisms—capability flow, trust transfer, and authorization confusion—in controlled sandboxed environments.
Figure 1: Path-level risk in SCR: three skills, safe under isolated review, can together expose sensitive resources via capability flow, trust transfer, or authorization confusion.
SCR Formulation: Context-Dependent Composition Risks
The paper formalizes SCR using a directed, context-dependent composition graph, Gh=(V,Eh), where the vertices V represent agent skills and the edges Eh encode feasible composition relationships under a given task context h. The authors demonstrate that the real attack surface is not at the node (individual skill) level, but in activated paths π within Gh, where intermediate artifacts (outputs, trust signals, authorization cues) are passed between skills. The effective path risk is defined as rπ(h)=aπ(h)qπ(h), separating the activation probability from the conditional probability of reaching a harmful downstream state.
Three primary risk mechanisms are instantiated:
SCR-Bench: Operationalizing Path-Level Evaluation
SCR-Bench is constructed as a set of sub-benchmarks, each aligning with one of the risk mechanisms and explicitly separating skill-local capability from compositional context. The evaluation metric is binary: success is counted only upon observable downstream state change in a sandboxed environment, not mere textual description or invocation.
- SCR-CapFlow pairs discovery and execution skills, testing whether the agent transfers operational targets in composition. The experiment strictly requires side-effects to apply to the actual upstream-discovered target.
- SCR-TrustLift evaluates whether upstream trust signals alter downstream high-risk installation decisions—measuring the lift in attack success rate (ASR) between the control and endorsed conditions.
- SCR-AuthBlur assesses how upstream advisory context (of varying semantic strength) modulates the agent's risky approval rate.
Experimental Results and Key Findings
The empirical evaluation across diverse LLM backends demonstrates substantial compositional security failures:
- SCR-CapFlow: In isolated review, ASR is near zero (0–1.4%). Under composition, ASR rises sharply, averaging 33.6% (neutral) and 35.9% (explicit), reaching >90% for DeepSeek-V4. This highlights that privilege amplification is not sufficiently captured by local skill inspection; composition enables boundary crossing.
- SCR-TrustLift: Four out of five backends reach near-saturation ASR (96.51–100%) when trust signals are present, compared with zero or trivial ASR in control. The average lift is 82.8 percentage points. The implication is direct: benign security skills can unintentionally legitimize malicious downstream actions via trust-transfer effects.
- SCR-AuthBlur: Risky approval rates increase from 15.7% (control) to 27% (related context) and 34% (authorization-like context), with backend-dependent amplification (up to +41.1 percentage points). Even ordinary advisory context elevates approval risk by agent misinterpretation, confirming context pollution as a practical attack vector.
These results invalidate the sufficiency of artifact-level vetting for agentic skill ecosystems. Path-level context, semantic signal propagation, and compositional boundary confusion must be incorporated into threat models and security evaluation.
Practical and Theoretical Implications
This work redefines the security boundary for LLM agentic skill ecosystems:
- Artifact-level vetting is necessary but structurally insufficient. SCR demonstrates that emergent harm appears when individually-safe skills are composed in agent workflows.
- Path-aware, context-dependent analysis is required. Security review must shift from node-level inspection to activated path evaluation, accounting for all intermediate artifacts arising from skill interactions.
- Defense strategies must address composition, not just containment. Runtime interposition, path auditing, and compositional capability confinement are required. Static analysis, semantic triage, and formal abstraction (e.g., as in SkillScan, SkillSieve, SkillFortify) must extend to path-enabled threat surfaces.
- Benchmarking and evaluation must include compositional attack surfaces. Standard benchmarks and attack models should adopt context-activated path metrics as primary risk indicators.
Theoretically, SCR opens avenues for compositional formal verification, graph-theoretic threat modeling, and dynamic runtime auditing. As agent skill registries and open marketplaces proliferate, multilayer path inspection will become a foundational security primitive.
Future Directions
Key open questions include:
- Scaling SCR-Bench to open, heterogeneous skill ecosystems. Real-world agentic platforms will require robust, interpretable path evaluation frameworks.
- Automated path discovery and risk amplification analysis. As the number of candidate skill paths grows (scaling as O(nk) for length-k paths), compositional attack surfaces may dominate agentic workflow risk landscapes.
- Semantic intent fragmentation and formal compositional policy enforcement. Distinct from plan-level intent decomposition, the next evolution is incorporating semantic and operational dependency analysis for skill artifacts.
- Integration with runtime defense primitives. Path-aware pre-execution firewalls, compositional capability restriction (e.g., AEGIS, ClawGuard), and multi-hop privilege amplification blocking remain urgent translational targets.
Conclusion
The identification and operationalization of Skill Composition Risk (SCR) via SCR-Bench demonstrates that benign skills in isolation are insufficient for agentic security. Composed execution paths enable rapid amplification of privilege, trust, and approval risk, invalidating the node-level security boundary paradigm. Path-aware review, activated context analysis, and composition-driven defense mechanisms are essential for reliable skill-enabled LLM agents. This work establishes path-level scrutiny as a necessary security primitive in evolving agent skill ecosystems.