Papers
Topics
Authors
Recent
Search
2000 character limit reached

DY-Skill Attacker Model Overview

Updated 5 July 2026
  • The DY-Skill Attacker Model underlines dynamic exploitation of the skill layer through iterative, feedback-driven path search using natural-language instructions and associated metadata.
  • It employs a three-stage framework—vulnerability analysis, parallel attack generation, and exploit refinement—to discover and trigger unsafe behaviors in agent skills.
  • Empirical evaluations show that even prompt-only, adaptive attacks can significantly compromise operational security, underscoring the need for dynamic and multi-layered defenses.

Searching arXiv for the cited skill-attack papers to ground the article in current literature. Searching arXiv for “SkillAttack Automated Red Teaming of Agent Skills through Attack Path Refinement” and related skill-attack papers. The DY-Skill Attacker Model is a threat model for LLM-based agent systems in which the adversary targets the skill layer—the natural-language instructions, executable implementations, metadata, and lifecycle behavior of reusable agent skills—rather than the base model weights. Across recent work, the term does not denote one standardized formal object, but a convergent family of attacker formulations for dynamic, skill-based agent ecosystems. In this family, the attacker’s leverage comes from the fact that skills are privileged workflow components: agents may load them dynamically, interpret their documentation as operational guidance, execute their helper scripts, compose them with other skills, and persist them across sessions. The most explicit prompt-only version appears in "SkillAttack: Automated Red Teaming of Agent Skills through Attack Path Refinement" (Duan et al., 5 Apr 2026), which studies a weaker attacker that controls only user prompts but adaptively searches for prompts that activate latent vulnerabilities already present in an unmodified skill. Related papers broaden the model to skill-supply-chain poisoning, cross-modal language-and-code attacks, dynamic self-modification, lifecycle persistence, and adaptive audit evasion (Schmotz et al., 23 Feb 2026, Feng et al., 8 Apr 2026, Ning et al., 1 Jun 2026, Kim et al., 12 Jun 2026, Chen et al., 15 Jun 2026, Zhou, 12 May 2026). Taken together, these works define a technical landscape in which a DY-Skill attacker is best understood as an adversary whose power is mediated by closed-loop interaction with, or control over, reusable skills, rather than by direct compromise of the foundation model.

1. Prompt-only dynamic exploitation in unmodified skills

The clearest formalization of a DY-Skill attacker appears in SkillAttack (Duan et al., 5 Apr 2026). There, the target is an LLM-based agent using a skill represented as

s=(sinst,simpl),\mathbf{s} = (s_\text{inst}, s_\text{impl}),

where sinsts_\text{inst} is the natural-language instruction interface, such as a SKILL.md file, and simpls_\text{impl} is the executable implementation plus auxiliary resources. The attacker controls only prompts

xX,x \in \mathcal{X},

and explicitly cannot modify the skill, cannot change the system prompt, and cannot intervene in the runtime environment (Duan et al., 5 Apr 2026).

This formulation is significant because it weakens the attacker relative to prior skill-tampering work while making the threat more realistic. The attacker's objective is existential exploit discovery: given a skill s\mathbf{s}, determine whether there exists an adversarial prompt xx^* such that the agent exhibits at least one predefined unsafe behavior, evidenced by the execution trajectory

τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),

execution artifacts A\mathcal{A}, or final response yy (Duan et al., 5 Apr 2026). The harmful behaviors are drawn from the Skill-Inject taxonomy: data exfiltration, data destruction, backdoor insertion, malware or ransomware execution, DoS, phishing, manipulation, and poisoning (Duan et al., 5 Apr 2026, Schmotz et al., 23 Feb 2026).

The attacker is external and black-box with respect to policy internals, but not blind. SkillAttack assumes the attacker can observe: the skill content during auditing, the resulting execution trace τ\tau, execution artifacts sinsts_\text{inst}0, and the agent’s final response sinsts_\text{inst}1. Control is limited to the prompt sinsts_\text{inst}2, but it can be exercised iteratively across multiple rounds (Duan et al., 5 Apr 2026). This yields an attacker model that is weaker than supply-chain poisoning but stronger than a one-shot prompt injector, because it is stateful, feedback-driven, and trajectory-aware.

A central conceptual move in SkillAttack is to cast exploitation as path search. Each candidate exploit is represented as an attack path intended to connect the user prompt, the skill interface, a vulnerable operation, and an unsafe behavior. The paper’s printed path expression

sinsts_\text{inst}3

contains a typesetting error, but the surrounding text makes the intended semantics clear: the attacker searches over hypothesized routes from prompt to vulnerable operation to harmful effect (Duan et al., 5 Apr 2026). This suggests that the DY-Skill attacker is not merely optimizing strings; it is reasoning over where the skill is vulnerable, how to steer the agent there, and why prior attempts failed.

2. Closed-loop path search and exploit refinement

SkillAttack decomposes the prompt-only DY-Skill attacker into three stages: Skill Vulnerability Analysis, Surface-Parallel Attack Generation, and Feedback-Driven Exploit Refinement (Duan et al., 5 Apr 2026).

In the first stage, the attacker performs reconnaissance by analyzing both instruction and implementation surfaces. Each vulnerability is represented as

sinsts_\text{inst}4

where sinsts_\text{inst}5 is the vulnerability type, sinsts_\text{inst}6 the set of attacker-controllable inputs, sinsts_\text{inst}7 the set of sensitive operations, and sinsts_\text{inst}8 the set of triggering conditions. The full set is sinsts_\text{inst}9 (Duan et al., 5 Apr 2026). This formalizes a key property of the model: threat surfaces are not arbitrary prompt targets, but are grounded in the skill’s code and interface.

In the second stage, Surface-Parallel Attack Generation, the system initializes an attack lane for each simpls_\text{impl}0. Each lane contains a vulnerability, an initial path hypothesis, and an initial prompt: simpls_\text{impl}1 This breadth-first structure matters. Instead of committing to one malicious prompt, the attacker explores multiple attack surfaces simultaneously, each aligned with a distinct sensitive operation and behavior category (Duan et al., 5 Apr 2026).

In the third stage, Feedback-Driven Exploit Refinement, the attacker executes the current prompt, obtains

simpls_\text{impl}2

and submits them to a judge model conditioned on the target vulnerability simpls_\text{impl}3. If the judge determines that the unsafe behavior occurred, the prompt is returned as a successful exploit. Otherwise, the attacker extracts two structured feedback elements: path deviation and failure cause, such as refusal, sanitization, hallucinated execution, or branch drift (Duan et al., 5 Apr 2026). The update cycle is captured as

simpls_\text{impl}4

The full procedure is summarized by the paper’s Algorithm 1. It takes as input the skill simpls_\text{impl}5, attacker model simpls_\text{impl}6, judge simpls_\text{impl}7, and iteration budget simpls_\text{impl}8; computes simpls_\text{impl}9; initializes the attack pool xX,x \in \mathcal{X},0; repeatedly executes each lane; applies Judge; and, if needed, updates the attack via RefinePath and RefinePrompt; otherwise it returns failure after exhausting budget xX,x \in \mathcal{X},1 (Duan et al., 5 Apr 2026). In experiments, xX,x \in \mathcal{X},2 is 5 rounds (Duan et al., 5 Apr 2026).

This is the most explicit sense in which the model is dynamic: it is not only iterative, but stateful across rounds and hypothesis-updating. A plausible implication is that the relevant attack surface in agent skills is often latent rather than immediately actuated, so exploitability cannot be established by static string search alone.

3. Operational success criteria and empirical characteristics

SkillAttack adopts a strict success criterion. Attack success is not defined as producing harmful text or eliciting a dangerous answer string. The paper defines Attack Success Rate as “the fraction of skills for which at least one attack lane triggers a successful exploit within the iteration budget” (Duan et al., 5 Apr 2026). The unit is the skill, the criterion is existential over lanes, the search is bounded by xX,x \in \mathcal{X},3, and the evidence must come from trajectory, file, tool, or network behavior. Responses consisting solely of refusals or safety disclaimers are classified as ignored (Duan et al., 5 Apr 2026).

This evidentiary standard distinguishes the DY-Skill attacker from conventional jailbreak evaluation. The attacker is not credited for convincing the model to say something unsafe if the agent does not operationalize that behavior. The relevant security event is verified harmful action or attempted action.

SkillAttack evaluates this attacker model on 71 adversarial skills from Skill-Inject—30 Obvious Injections and 41 Contextual Injections—and 100 real-world “Hot100” skills from ClawHub, using OpenClaw with the Skill-Inject sandbox and ten target LLMs: GPT-5.4, GPT-5.4-nano, Claude Sonnet 4.5, Gemini 3.0 Pro Preview, Kimi K2.5, Qwen 3.5 Plus, MiniMax M2.5, GLM-5, Doubao Seed 1.8, and Hunyuan 2.0 Instruct (Duan et al., 5 Apr 2026). Gemini 3.0 Pro Preview is the auditing model, GPT-5.4 the attacker model, and up to 5 attack surfaces are identified per skill (Duan et al., 5 Apr 2026).

The quantitative results are central to the attacker model.

Setting SkillAttack Comparator summary
Obvious adversarial skills ASR xX,x \in \mathcal{X},4–xX,x \in \mathcal{X},5 Direct up to xX,x \in \mathcal{X},6; Skill-Inject up to xX,x \in \mathcal{X},7
Contextual adversarial skills xX,x \in \mathcal{X},8–xX,x \in \mathcal{X},9 Skill-Inject below s\mathbf{s}0; Direct near zero
Real-world Hot100 skills up to s\mathbf{s}1 Direct never exceeds s\mathbf{s}2

These results indicate that adaptive prompt-only exploit search can succeed even when the attacker cannot alter the skill artifact (Duan et al., 5 Apr 2026). This suggests that supply-chain tampering is not the only relevant attacker in skill ecosystems; a weaker but adaptive external user may suffice when the skill already embeds exploitable structure.

The round-of-first-success analysis reinforces this point. Only about 24% of successful attacks occur in rounds 1–2, while roughly 65% first succeed in rounds 3–4. The full first-success distribution is 12.8% in round 1, 11.6% in round 2, 36.0% in round 3, 28.8% in round 4, and 10.8% in round 5; for Hot100, rounds 3 and 4 account for 39.5% and 30.2% (Duan et al., 5 Apr 2026). This is strong evidence that one-shot attack models materially understate exploitability.

The danger-category distributions are also informative. Hot100 real-world skills are concentrated on operational threats, with Data Exfiltration and Malware/Ransomware exceeding 70% of successful cases, whereas contextual injected skills are dominated by manipulation (Duan et al., 5 Apr 2026). This suggests that a DY-Skill attacker should be understood as skill-aware: different classes of skills expose different operational surfaces.

4. Relation to supply-chain poisoning and skill-file injection

SkillAttack’s prompt-only model is best understood against a background of stronger skill-layer attackers. Skill-Inject formalizes skill-file attacks in which the attacker controls the skill artifact itself, especially SKILL.md, scripts, and YAML description metadata (Schmotz et al., 23 Feb 2026). Skills are described there as directories that can contain instructions, scripts, and resources, with a designated SKILL.md containing potentially long-form instructions. Since skills are lazy-loaded and trusted as extension material, malicious instructions in them create “instruction-instruction” conflicts rather than ordinary instruction-data conflicts (Schmotz et al., 23 Feb 2026).

Skill-Inject distinguishes three threat variants: Body Injection, Body + Script, and Body + YAML Description (Schmotz et al., 23 Feb 2026). The paper finds that description injection provides “additional attack leverage,” increasing success rates by 10.6 to 14.1 percentage points on average, and that script-based attacks outperform direct text injections, with contextual ASR 71.8% versus 53.8% and obvious ASR 62.8% versus 53.7% (Schmotz et al., 23 Feb 2026). The benchmark contains 202 injection-task pairs across 23 unique skills, 8 attack categories, 30 obvious injections, and 41 contextual injections (Schmotz et al., 23 Feb 2026).

The harm taxonomy used by Skill-Inject overlaps with SkillAttack: Data Exfiltration, Data Destruction, DoS, Malware/Ransomware, Phishing, Backdoors, Bias/Manipulation, and Poisoning (Schmotz et al., 23 Feb 2026). Its broader conclusion is that current agents are highly vulnerable, with up to 80% attack success rate on some configurations, and that model scaling or simple input filtering is insufficient; the paper instead calls for context-aware authorization frameworks (Schmotz et al., 23 Feb 2026).

SkillTrojan extends the supply-chain side of the DY-Skill landscape by modeling a backdoor attacker who controls persistent third-party skills that an agent can dynamically load from public repositories or marketplaces (Feng et al., 8 Apr 2026). A skill is formalized as

s\mathbf{s}3

where s\mathbf{s}4 is a natural-language specification document such as SKILL.md, and s\mathbf{s}5 is the set of executable scripts or resources (Feng et al., 8 Apr 2026). The attacker publishes or transforms skills into backdoored packages

s\mathbf{s}6

with two objectives: preserve benign behavior on clean inputs and reliably execute a payload s\mathbf{s}7 when a trigger predicate s\mathbf{s}8 holds (Feng et al., 8 Apr 2026).

The attack encrypts a payload,

s\mathbf{s}9

splits it into indexed fragments

xx^*0

biases planner behavior under trigger by modifying xx^*1, accumulates fragments across benign-looking actions,

xx^*2

and reconstructs and executes the payload when

xx^*3

(Feng et al., 8 Apr 2026). This attack is dynamic because payload activation depends on ordinary multi-step skill composition within a run rather than a single malicious tool invocation.

SkillTrojan attains up to 97.2% ASR while maintaining 89.3% clean ACC on EHR SQL with GPT-5.2-1211-Global, and achieves 92.8 ASR on SWE-Bench Verified for the same model (Feng et al., 8 Apr 2026). This is not the same DY-Skill attacker as SkillAttack, but it occupies the same conceptual space: the base model is unmodified, the skill layer is the attack substrate, and the attack unfolds through normal planner and tool-chain behavior.

A useful distinction therefore emerges. The DY-Skill attacker may be:

The former studies exploitability of existing vulnerabilities; the latter studies insertion of new malicious behavior.

5. Dynamic modification, lifecycle persistence, and adaptive vetting

Several papers expand the DY-Skill idea beyond prompt-only or fixed-package poisoning toward lifecycle-aware and self-evolving attacker models.

SkillHarm introduces a benchmark across the skill-use lifecycle and distinguishes Fixed-Payload Poisoning (FPP) from Self-Mutating Poisoning (SMP) (Ning et al., 1 Jun 2026). The attacker is a skill publisher who controls all files shipped in a skill package, including SKILL.md, reference documents, scripts, and auxiliary resources, but has no post-installation live access and cannot adapt online (Ning et al., 1 Jun 2026). FPP places the malicious payload in the package from the start. SMP instead plants a mutation hook so that an initially benign execution rewrites persistent skill content for later compromise (Ning et al., 1 Jun 2026).

SMP is realized via an exit-triggered callback—concretely, an atexit callback added to a helper script used in Task xx^*4—which rewrites sibling skill files when the script exits, so that the modified content is loaded during Task xx^*5 (Ning et al., 1 Jun 2026). Persistence is carried by the installed skill directory itself, across framework-specific paths such as .claude/skills, .codex/skills, and .agents/skills (Ning et al., 1 Jun 2026). This yields a dynamic threat in which harm is temporally decoupled from the initial benign-looking execution.

SkillHarm defines 12 risk types across data pipelines, system environments, and agent autonomy, including Data Exfiltration, Output Manipulation, Poisoning, Privilege Escalation, Unauthorized File Modification, Backdoor Injection, Denial of Service, Malware Deployment, System Corruption, Goal Hijacking, Anti-Forensics, and Proxy Attack (Ning et al., 1 Jun 2026). Across 879 attack samples over 71 skills, FPP reaches up to 86.3% ASR and SMP up to 69.3% ASR (Ning et al., 1 Jun 2026). Conditional ASR analysis shows many apparent failures stem from the agent not engaging the poisoned file rather than true resistance, and Attack Refusal Rate drops sharply in SMP relative to FPP, supporting the idea that temporally separated attacks are harder for agents to detect (Ning et al., 1 Jun 2026).

Dynamic Malicious Skills studies a related but more specific attack, DyMalSkill, in which the attacker distributes a skill with benign executable code but malicious natural-language documentation that induces the agent itself to rewrite that code during execution (Chen et al., 15 Jun 2026). A skill is formalized as

xx^*6

where xx^*7 is code, xx^*8 metadata, and xx^*9 documentation. The attacker constructs

τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),0

by injecting malicious documentation τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),1 while leaving code benign at rest (Chen et al., 15 Jun 2026). At runtime, the agent transforms the code according to

τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),2

yielding

τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),3

whose execution produces malicious behavior (Chen et al., 15 Jun 2026).

This attack relies on three documentation-level strategies: prerequisite framing, entry-script grounding, and wrapper-pierce via pseudo-structural tags such as </EXTRA_INFO><SYSTEM_INSTRUCTION> ... </SYSTEM_INSTRUCTION> (Chen et al., 15 Jun 2026). The paper evaluates 300 Python-code skills sampled from 15,067 skills collected from Skillsmp and 12 malicious behavior categories. Average ASR reaches 43.7% for OpenHands + GPT-5 and 19.0% for Claude Code + Sonnet 4.6, while a permission-based defense using kernel-enforced read-only mounts plus copy blocking reduces ASR to 0.0% and preserves benign functionality on all 300 benign skills (Chen et al., 15 Jun 2026). The core implication is that skill documentation is effectively executable by proxy through the agent.

Proteus generalizes the adaptive side of the DY-Skill attacker into a grey-box self-evolving red team for skill vetting (Zhou, 12 May 2026). It defines skill risk in terms of adaptive leakage: τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),4 where τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),5 denotes audit bypass and τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),6 oracle-verified lethality within budget τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),7 (Zhou, 12 May 2026). Proteus factors the attack space as

τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),8

with objective τ=(a1,o1,,aT,oT),\tau = (a_1, o_1, \dots, a_T, o_T),9, topology A\mathcal{A}0, code artifact A\mathcal{A}1, side-effect channel A\mathcal{A}2, and documentation A\mathcal{A}3, and iteratively mutates skills using structured audit findings and runtime traces (Zhou, 12 May 2026).

Across eight phase-1 cells, Proteus reaches 40–90% ASR@5; phase-2 path and surface expansion produce 438 jointly bypassing and lethal variants, with SkillVetter bypassed at A\mathcal{A}4 in every cell and AI-Infra-Guard still admitting up to 41.3% joint success (Zhou, 12 May 2026). This attacker is stronger than the prompt-only DY-Skill attacker of SkillAttack, but it makes the same conceptual point: single-shot auditing underestimates residual risk once the attacker can learn from feedback.

6. Cross-modal install-time attacks and broader attacker boundaries

SkillMutator focuses on install-time detection of language-and-code cross-modal attacks on skills (Kim et al., 12 Jun 2026). The trusted system boundary is explicit: the base LLM, agent host, operating system, and scanner are assumed uncompromised, while all third-party skill contents are untrusted (Kim et al., 12 Jun 2026). A skill package is modeled as

A\mathcal{A}5

where A\mathcal{A}6 is SKILL.md, A\mathcal{A}7 the executable files, and A\mathcal{A}8 the auxiliary files. The install-time scanner computes

A\mathcal{A}9

without executing any file (Kim et al., 12 Jun 2026).

SkillMutator begins from benign skills and uses a four-stage adversarial mutation process: Skill Analysis, Stealth-Aware Attack Selection, Scenario Generation, and Skill Mutation, followed by iterative refinement against three scanners (Kim et al., 12 Jun 2026). Categories are kept when their stealth score exceeds 80, or else the top three are retained (Kim et al., 12 Jun 2026). The mutator may alter SKILL.md, helper scripts, or auxiliary files, and is instructed to evade public rule patterns such as curl, wget, /.ssh/, /.env, sudo, eval(, and exec( by renaming, splitting, indirecting through configuration, and disguising behavior as routine maintenance (Kim et al., 12 Jun 2026).

The benchmark contains 187 final mutated skill scenarios over 13 attack categories, generated across 17 official Anthropic skills and 68 community-authored skills (Kim et al., 12 Jun 2026). Open-source and commercial skill scanners detect only 2%–8% and 9%–17% of these attacks, respectively, while the distilled local scanner based on Qwen2.5-Coder-7B-Instruct reaches 88.2% detection on the strongest subset yy0, surpassing GPT-4o-mini at 23.7% and GPT-5.4-mini at 79.0%, and approaching GPT-5.4 at 86.8% (Kim et al., 12 Jun 2026). This suggests that cross-modal DY-Skill attackers are particularly poorly captured by shallow lexical or static-code signals.

A related but conceptually distinct attacker appears in "When Should Agent Trust Be Conditional? Characterizing and Attacking Skill-Conditional Reputation in Agent Swarms" (Xia et al., 12 Jun 2026). This paper does not study skill packages themselves, but cross-skill laundering in skill-conditional routing over heterogeneous agents. Trust is modeled as

yy1

estimated by a coupling-weighted pooling rule

yy2

An attacker with cheap evidence on one farm skill yy3 and none on a target skill yy4 can exploit off-diagonal coupling yy5 to inflate target-skill trust (Xia et al., 12 Jun 2026). The paper’s budget degeneracy result shows that when yy6 and yy7,

yy8

so even one accepted farm episode can contaminate target-skill routing (Xia et al., 12 Jun 2026). This is not a skill-package attacker, but it broadens the DY-Skill notion from skill artifacts to skill-conditioned system state: the same cross-skill structure that improves routing also creates a laundering channel.

A plausible synthesis is that the DY-Skill attacker should not be reduced to one mechanism. The literature supports at least four variants:

7. Conceptual synthesis and defensive implications

Across these papers, the DY-Skill Attacker Model is best defined by what it is not. It is not conventional jailbreak prompting, because success depends on verified operational effects rather than unsafe text alone (Duan et al., 5 Apr 2026). It is not ordinary software malware, because the attack surface includes natural-language skill documentation and planner-facing semantics, not only code (Schmotz et al., 23 Feb 2026, Kim et al., 12 Jun 2026, Chen et al., 15 Jun 2026). It is not merely a static supply-chain attacker, because several of the strongest results depend on iterative refinement, path search, lifecycle mutation, or skill composition across time (Duan et al., 5 Apr 2026, Feng et al., 8 Apr 2026, Ning et al., 1 Jun 2026, Zhou, 12 May 2026).

A compact characterization is therefore:

a DY-Skill attacker is an adversary whose leverage is concentrated at the reusable skill layer of agentic systems, and whose capabilities derive from dynamic interaction with that layer—through prompt steering, artifact poisoning, documentation-induced code transformation, multi-step skill composition, persistent mutation, or feedback-driven revision.

The defensive implications in the cited literature are correspondingly multi-layered. Static auditing alone is repeatedly described as insufficient. SkillAttack argues that code/interface analysis must be combined with closed-loop adversarial interaction because static analysis cannot confirm exploitability under realistic agent execution (Duan et al., 5 Apr 2026). Skill-Inject argues for treating skill files as untrusted by default, binding them to least-privilege capability sets, and using context-aware authorization for side effects (Schmotz et al., 23 Feb 2026). Dynamic Malicious Skills shows that removing runtime write access to skill directories via kernel-enforced read-only mounts can completely block one class of dynamic skill rewriting while preserving benign utility (Chen et al., 15 Jun 2026). SkillMutator shows that install-time defense must reason jointly over SKILL.md, code, and auxiliary artifacts rather than apply rule-based scanning to either modality alone (Kim et al., 12 Jun 2026). Proteus argues that defenders must measure adaptive leakage, not one-shot snapshot safety, because audit feedback itself can become an attacker resource (Zhou, 12 May 2026).

Several misconceptions are clarified by the literature. One is that a weaker attacker who controls only prompts is necessarily unimportant; SkillAttack shows otherwise (Duan et al., 5 Apr 2026). Another is that benign-looking code implies benign skills; both Dynamic Malicious Skills and SkillMutator show that documentation can operationalize harm without static malware signatures in code at rest (Chen et al., 15 Jun 2026, Kim et al., 12 Jun 2026). A third is that skill safety is purely an install-time property; SkillHarm and SkillTrojan show that harm may emerge only after composition, reuse, or delayed mutation (Feng et al., 8 Apr 2026, Ning et al., 1 Jun 2026).

The broader significance of the DY-Skill attacker model is therefore methodological as much as substantive. It reframes skill security from a question about isolated prompts or isolated artifacts into a question about agent-skill interaction over time. The skill is simultaneously a documentation surface, a code surface, a planning surface, and often a persistence surface. The attacker, correspondingly, is dynamic not merely because it acts in multiple steps, but because its success depends on reasoning about and exploiting this layered, evolving interface between language, execution, and workflow.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to DY-Skill Attacker Model.