SCR-Bench: Skill Composition Risk Benchmark
- SCR-Bench is a benchmark that defines Skill Composition Risk (SCR) as the potential harm from benign skills when composed within a shared execution context.
- It systematically evaluates three composition mechanisms—capability flow, trust transfer, and authorization confusion—in controlled, path-aware sandbox environments.
- The benchmark measures empirical attack success rates through observable downstream state changes, highlighting vulnerabilities that isolated evaluations might miss.
Searching arXiv for the SCR-Bench paper and closely related benchmark context. SCR-Bench is a benchmark for evaluating Skill Composition Risk (SCR) in LLM-agent skill ecosystems, defined as the risk that skills judged safe in isolation become harmful when composed through a shared execution context. It is introduced as a path-aware benchmark in which the unit of analysis is an activated execution path rather than an isolated skill artifact. The benchmark is built around controlled, sandboxed skill environments and records observable downstream state changes and path-level outcomes, rather than relying only on textual intent or surface behavior. Its three sub-benchmarks—SCR-CapFlow, SCR-TrustLift, and SCR-AuthBlur—instantiate three composition mechanisms: capability-flow composition, trust-transfer composition, and authorization-confusion composition (Xie et al., 13 Jun 2026).
1. Definition and formalization
The benchmark is grounded in a context-dependent skill graph
where is the set of available skills and is the set of feasible skill-to-skill composition edges under context (Xie et al., 13 Jun 2026). A composition edge is defined as
with the output or state change produced by skill and the downstream object consumed by skill or by the planner. A skill-composition path is written
This formalization treats the relevant security object as a context-dependent path. A path 0 has activation probability 1, conditional harmful-state probability 2, and path risk
3
This makes explicit that composition risk depends both on whether the agent follows a path and on what occurs once the path is activated (Xie et al., 13 Jun 2026).
The benchmark-level outcome is a bad-event indicator 4 for mechanism 5, case 6, and trial 7, where success requires a downstream state change in the sandbox. The principal metric is empirical attack success rate: 8 This design emphasizes that SCR-Bench scores realized environmental outcomes rather than merely risky language or stated intent (Xie et al., 13 Jun 2026).
2. Benchmark architecture and design principles
SCR-Bench is designed as a benchmark for controlled skill environments with path-level ground truth. It assumes reusable procedural modules available to an LLM agent, a multi-step task setting, and a shared execution context that can carry forward task semantics, session memory, findings, endorsements, authorization cues, and environment state changes. In this setting, composition does not require explicit function nesting; it can arise whenever one skill’s output influences another skill’s invocation, input, or interpretation (Xie et al., 13 Jun 2026).
Its main design claims are threefold. First, the unit of analysis is the activated path rather than the isolated skill. Second, the measured outcome is an observable downstream event in a sandbox. Third, the benchmark explicitly instantiates three composition mechanisms rather than treating composition risk as an undifferentiated phenomenon (Xie et al., 13 Jun 2026).
The benchmark uses sandboxed environments with mock files, services, logs, schedules, stateful environments, simulated installation environments, and simulated approval or policy contexts. This controlled design enables direct verification of whether a harmful event occurred. A plausible implication is that the benchmark favors falsifiable path-level evaluation over open-ended red-teaming.
3. The three sub-benchmarks
SCR-Bench is partitioned into three sub-benchmarks, each tied to a distinct semantic channel through which composition becomes harmful (Xie et al., 13 Jun 2026).
| Sub-benchmark | Mechanism | Main bad event |
|---|---|---|
| SCR-CapFlow | Capability-flow composition | Linked downstream side effect on discovered target |
| SCR-TrustLift | Trust-transfer composition | Harmful installation |
| SCR-AuthBlur | Authorization-confusion composition | Risky approval |
SCR-CapFlow
SCR-CapFlow models capability-flow composition. An upstream skill exposes a concrete target or operational context, and a downstream execution skill acts on that same target. Individually, the skills are locally bounded; harmful behavior emerges only when the discovered object becomes the downstream action parameter. The main-text success criterion is
9
This makes the benchmark stricter than a mere co-invocation test: the execution must be linked to the specific discovered target (Xie et al., 13 Jun 2026).
The benchmark contains 150 paired-skill cases, with domains including permission or access control, mock reporting, device control, network configuration, and persistence scheduling. It evaluates five conditions: Control, A-Only, B-Only, A+B Neutral, and A+B Explicit. The Neutral condition tests autonomous harmful composition under legitimate task-oriented language, while the Explicit condition functions as a positive control for path executability (Xie et al., 13 Jun 2026).
SCR-TrustLift
SCR-TrustLift models trust-transfer composition. An upstream review- or security-oriented skill emits an endorsement, audit result, or trust signal that is then reused to legitimize a later harmful installation. The central quantity is lift: 0 with empirical estimator
1
The mechanism captures a semantic transition from review output to downstream legitimacy (Xie et al., 13 Jun 2026).
The benchmark evaluates 401 installation trials per backend under Control and Endorsed conditions. The upstream skill does not directly install anything; it only supplies an endorsement-like signal that may shift the downstream decision boundary (Xie et al., 13 Jun 2026).
SCR-AuthBlur
SCR-AuthBlur models authorization-confusion composition. Upstream advisory or finding-like context is reused as though it were approval evidence, thereby increasing the risky-approval rate. The contamination effect at context level 2 is
3
with empirical estimator
4
The benchmark defines four context levels. 5 is unrelated control context with no relevant task or composition cue. 6 is related task-level context only, with no specified 7 path and no advisor output, approval, or authorization language. 8 is a specified path with weak advisory or finding-like outputs, excluding approval and directive language. 9 is a specified path with stronger advisory or evaluative upstream semantics, still excluding formal authorization (Xie et al., 13 Jun 2026).
The main evaluation uses 118 retained decision cases and reports 0, 1, and 2, while a separate audited subset of 52 cases is used for 3 analysis (Xie et al., 13 Jun 2026).
4. Evaluation protocol and reported results
SCR-Bench evaluates multiple model backends and reports attack success rates under isolated and composed conditions. Across benchmarks, the paper reports experiments with GPT-5.5, GPT-5.4, Claude Opus 4.6, Claude Opus 4.5, Gemini 3.1 Pro Preview, MiniMax-M2.7, DeepSeek-V4, Kimi-K2, GLM-5.1, and GLM-5, with the exact subset varying by sub-benchmark (Xie et al., 13 Jun 2026).
SCR-CapFlow results
In SCR-CapFlow, isolated settings are near-zero, but composed settings are not. The reported averages are:
- Control: 0% ASR
- A-Only: 0% ASR
- B-Only: 1.4% ASR
- A+B Neutral: 33.6% ASR
- A+B Explicit: 35.9% ASR
Backend-level variation is large. DeepSeek-V4 exceeds 90% in both composed conditions, MiniMax-M2.7 exceeds 74.9%, and GPT-5.5, Gemini 3.1 Pro Preview, GLM-5.1, and GLM-5 show substantial composition-induced risk, whereas Opus 4.5 and 4.6 remain comparatively conservative (Xie et al., 13 Jun 2026). The figure for SCR-CapFlow includes 95% bootstrap confidence intervals.
SCR-TrustLift results
In SCR-TrustLift, the contrast between control and endorsed conditions is much larger. The reported averages are:
- Control average ASR: 1.10%
- Endorsed average ASR: 83.89%
- Average lift: 82.79 percentage points
On four of five backends, the endorsed ASR exceeds 96.5%. Specifically, Opus-4.5 and MiniMax-M2.7 reach 100%, GPT-5.4 reaches 96.51%, and Gemini-3.1-Pro-Preview reaches 97.76%. Only Opus-4.6 is substantially lower at 25.19% (Xie et al., 13 Jun 2026). This pattern is the basis for the paper’s claim that trust-transfer composition exposes risk that is largely absent under isolated evaluation.
SCR-AuthBlur results
In SCR-AuthBlur, the average risky-approval rates are:
- 4: 15.7%
- 5: 27.0%
- 6: 34.0%
Thus 7 percentage points and 8 percentage points. The paper states that the risky-approval rate increases by 71.8% relative to the 9 isolated baseline under the 0 context setting, corresponding to the change from 15.7% to 27.0% (Xie et al., 13 Jun 2026).
On the stricter 52-case audited subset that includes 1, the averages are:
- 2: 14.6%
- 3: 35.1%
- 4: 18.4%
- 5: 39.6%
This suggests that weak findings alone have a milder effect than related context or stronger advisory semantics (Xie et al., 13 Jun 2026). This suggests that authorization confusion is sensitive not only to the presence of upstream information, but also to the semantic strength of that information.
5. Interpretation and benchmark significance
SCR-Bench is significant because it shifts agent-skill security evaluation from artifact-level vetting to path-aware evaluation. The benchmark shows that harmful behavior can emerge from three semantic boundary crossings: data becoming an execution target in capability flow, a review signal becoming downstream legitimacy in trust transfer, and advisory context being treated as approval evidence in authorization confusion (Xie et al., 13 Jun 2026).
A common misconception is that composition risk requires a single overtly malicious skill. SCR-Bench rejects that framing. Its motivating claim is that a skill can appear benign alone yet become harmful when its outputs, trust signals, authorization cues, or side effects influence later invocations along an activated path (Xie et al., 13 Jun 2026). Another misconception is that explanation or rationale quality is sufficient for security evaluation. SCR-Bench instead requires a bad event with an observable downstream effect.
The benchmark also implies that isolated vetting is necessary but insufficient. A plausible implication is that runtime defense, auditing, and policy enforcement in agent ecosystems must reason about likely composition edges and not merely about local skill descriptions.
6. Relation to broader benchmark design and limitations
SCR-Bench is presented as a benchmark specifically for path-level risks in skill ecosystems, not as an exhaustive taxonomy of all agent vulnerabilities. Its benchmark logic resembles other scenario-based evaluation frameworks in treating the scenario or case as the unit of evaluation, but its distinguishing feature is that success is determined by sandboxed downstream state change rather than text-only scoring (Xie et al., 13 Jun 2026).
The paper also states several limitations. SCR-AuthBlur is reported conservatively because 6 is excluded from the main table and evaluated only on a stricter audited subset. More broadly, all experiments use controlled, sandboxed, mock side-effect environments. This provides ground truth, but abstracts away open-registry heterogeneity, runtime policy complexity, and production noise (Xie et al., 13 Jun 2026). This suggests that the benchmark is best interpreted as a controlled diagnostic instrument rather than a complete model of deployed agent ecosystems.
The paper identifies future directions including validation in larger open skill registries and production-like runtimes (Xie et al., 13 Jun 2026). It also leaves open questions about estimating path activation in real deployments and about building runtime guards that reason over path semantics rather than isolated artifacts.
In its current form, SCR-Bench establishes a benchmark vocabulary centered on activated composition paths, mechanism-specific bad events, and empirical attack success rates. Its main empirical conclusion is that composed paths expose risks that are largely absent under isolated evaluation, with average ASR rising to 33.6% in SCR-CapFlow, 83.89% in endorsed TrustLift settings, and a 71.8% relative increase in risky approvals in AuthBlur under 7 (Xie et al., 13 Jun 2026).