Papers
Topics
Authors
Recent
Search
2000 character limit reached

SkillFortify: Fortifying Agent Skills

Updated 5 July 2026
  • SkillFortify is a framework for bundling agent skills into secure, reusable packages (including SKILL.md files, scripts, and metadata) that enhance system robustness.
  • It employs formal analysis, package auditing, and path-aware composition to detect and mitigate vulnerabilities across the skill lifecycle.
  • Compilation and fine-tuning techniques within SkillFortify improve performance and trustworthiness by managing capabilities, enforcing constraints, and iteratively refining skills.

Searching arXiv for the cited SkillFortify-related papers to ground the article in current preprints. SkillFortify is a research designation used across several 2026 preprints for methods that fortify, audit, compile, and optimize agent skills as reusable capability units rather than as isolated prompts. Across these works, a “skill” may be a package containing SKILL.md, scripts, references, and repository context; a portable SKILL.md artifact with YAML frontmatter and Markdown body; a runtime meta-tool accessed through a virtual file system; or a high-level instruction file that governs an agent’s decomposition, tool-use, and repair behavior. The common premise is that security, robustness, and utility depend on structure, context, and lifecycle management rather than on prompt text alone (Bhardwaj, 27 Feb 2026, Lv et al., 28 Apr 2026, Ouyang et al., 5 May 2026, Xie et al., 13 Jun 2026, Hu et al., 13 May 2026, Liu et al., 9 Apr 2026, Zhu et al., 20 May 2026).

1. Research scope and skill abstractions

A recurring theme in the SkillFortify literature is that skills are the capability layer through which LLM agents turn plans into actions. In package-oriented formulations, Agent Skills package SKILL.md, scripts, references, and repository context into loadable capability units; flattening them into a single prompt drops the package structure that links risk evidence across roles (Lv et al., 28 Apr 2026). In compiler-oriented work, SKILL.md is treated as the de facto, portable skill format consisting of YAML frontmatter and a Markdown body, with progressive disclosure in which agents load lightweight metadata at initialization and fetch full skill content on demand (Ouyang et al., 5 May 2026). In cloud technical support, a skill is a portable, file-based package loaded at runtime as a meta-tool and accessed via a Virtual File System (VFS), containing SKILL.md, curated references, and references/tools.json, with no arbitrary scripts and only pre-verified tools (Liu et al., 9 Apr 2026). In Text-to-SQL, a skill is a high-level instruction file governing decomposition style, schema exploration, SQL drafting and repair patterns, schema linking rules, validation, and tool-use policies (Zhu et al., 20 May 2026).

This diversity suggests that SkillFortify is best understood as an umbrella for fortifying the skill layer at multiple points: supply-chain ingestion, pre-load auditing, compile-time hardening, runtime composition control, downstream fine-tuning, and iterative skill refinement. A plausible implication is that the term names a research program or architectural family rather than a single canonical implementation.

Strand Core concern Paper
Formal supply-chain security Static analysis, sandboxing, dependency resolution, trust algebra (Bhardwaj, 27 Feb 2026)
Robust pre-load auditing Three-way classification of untrusted skill packages (Lv et al., 28 Apr 2026)
Portable secure compilation SkIR, multi-backend emission, Anti-Skill Injection (Ouyang et al., 5 May 2026)
Composition-aware security Path-level risk in multi-skill execution (Xie et al., 13 Jun 2026)
Alignment-preserving finetuning Filtering harmful and implicitly harmful finetuning data (Hu et al., 13 May 2026)
Self-evolving domain skills Creation-evaluation-refinement loop from operational evidence (Liu et al., 9 Apr 2026)
Residual ensemble skills Complementary skills for Text-to-SQL Pass@K (Zhu et al., 20 May 2026)

A common misconception is that a skill can be vetted as a static prompt artifact. The SkillFortify literature rejects that simplification in three different ways: package-level work emphasizes cross-file evidence, composition work emphasizes activated paths rather than isolated artifacts, and compiler/runtime work emphasizes typed constraints, capabilities, and deployment context.

2. Formal supply-chain security foundations

The most explicitly formal SkillFortify formulation is presented as “the first formal analysis framework for agent skill supply chains” (Bhardwaj, 27 Feb 2026). It is motivated by the rapid proliferation of agentic skill ecosystems, including OpenClaw with 228,000 GitHub stars and Anthropic Agent Skills with 75,600 stars, together with security incidents such as CVE-2026-25253, the ClawHavoc campaign infiltrating over 1,200 malicious skills into the OpenClaw marketplace, and MalTool’s catalog of 6,487 malicious tools. The paper argues that post-incident reactive tools are heuristic and do not provide formal guarantees (Bhardwaj, 27 Feb 2026).

The framework models the skill lifecycle as the ordered five-phase chain

π=Install,Load,Configure,Execute,Persist,\pi = \langle Install, Load, Configure, Execute, Persist \rangle,

with six attack classes mapped to lifecycle phases. Its DY-Skill attacker model is a Dolev-Yao adaptation to this lifecycle. The attacker maintains knowledge KK closed under intercept, inject, modify, drop, forge skills, and compromise registries, with monotonicity, interception closure, and forge closure as invariants. Under the Perfect Sandbox Assumption, a correctly implemented sandbox prevents access to resources rCapD(s)r \notin Cap_D(s) without an explicit capability whose resource matches rr (Bhardwaj, 27 Feb 2026).

Static analysis is grounded in abstract interpretation over a capability lattice

Lcap=({NONE,READ,WRITE,ADMIN},),\mathbb{L}_{\mathit{cap}} = (\{\mathsf{NONE}, \mathsf{READ}, \mathsf{WRITE}, \mathsf{ADMIN}\}, \sqsubseteq),

with resource universe

C={filesystem,  network,  environment,  shell,  skill_invoke,  clipboard,  browser,  database}.\mathcal{C} = \{filesystem,\; network,\; environment,\; shell,\; skill\_invoke,\; clipboard,\; browser,\; database\}.

The framework defines concrete and abstract semantics, a Galois connection, capability inference, dangerous pattern detection, and a capability violation check based on whether the inferred capability set is pointwise bounded by the declared capability set. The stated soundness theorem implies that if Viol(s)=\mathit{Viol}(s)=\emptyset, concrete accesses cannot exceed declared capabilities for the analyzed properties (Bhardwaj, 27 Feb 2026).

SkillFortify also introduces capability-based sandboxing with confinement theorems, an Agent Dependency Graph (ADG) with SAT-based resolution and lockfile semantics, and a trust score algebra. The effective trust of a skill is defined as

Teff(s)=T(s)×mindtrans(s)T(d),T_{\mathrm{eff}}(s) = T(s) \times \min_{d \in \mathit{trans}(s)} T(d),

and the trust level mapping ranges from L0 (unsigned) to L3 (formally_verified). The paper proves monotonicity of trust under positive evidence and soundness of SAT-based resolution with deterministic lockfile generation (Bhardwaj, 27 Feb 2026).

Empirically, this formal line reports 96.95% F1 with 95% CI [95.1%, 98.4%], 100.00% precision, and 0% false positive rate on SkillFortifyBench, a 540-skill benchmark containing 270 malicious and 270 benign skills across Claude, MCP, and OpenClaw formats. SAT-based resolution handles 1,000-node graphs in 92.4 ms, and end-to-end scan processes 540 skills in 1.378 s, or 2.55 ms per skill (Bhardwaj, 27 Feb 2026). The principal limitation is that static-only analysis does not cover all registry-relational threats or dynamic behaviors, with false negatives concentrated in typosquatting, dependency confusion, and compact MCP configurations.

3. Structured auditing of untrusted skill packages

A second SkillFortify line treats pre-load auditing of untrusted Agent Skills as a robust three-way classification problem over packages rather than over prompts (Lv et al., 28 Apr 2026). A package is formalized as

P={(xi,ri)}i=1n,P = \{(x_i, r_i)\}_{i=1}^n,

where xix_i is file content and KK0. The classifier outputs KK1, with “malicious” requiring at least one decisive cross-file attack chain and “suspicious” reserved for boundary risks such as bootstrap or externalization that require block plus manual review (Lv et al., 28 Apr 2026).

The stated motivation is that single-prompt filtering is insufficient because decisive evidence is distributed across files and semantics-preserving rewrites cause label drift. The threat model highlights hidden override, disguised transfer, and remote bootstrap. Risks include unauthorized data transfer, downstream tool misuse, remote code execution via bootstrap chains, policy override, and privilege escalation. The main failure mode of naive guardrails is described as collapse from malicious to suspicious under rewrites and cross-file chain conflicts (Lv et al., 28 Apr 2026).

The proposed architecture, SkillGuard-Robust as adapted for SkillFortify, is factorized into four modules: role-aware evidence extraction, selective semantic verification, consistency-preserving adjudication, and anchor–rewrite consistency consolidation. Role-aware evidence extraction computes per-signal support across files while preserving role context, using noisy-or aggregation

KK2

so that a single strong file can dominate while dispersed weak signals can accumulate (Lv et al., 28 Apr 2026). Semantic verification is triggered only under structural ambiguity. Arbitration integrates structural scores with verifier outputs through

KK3

and uses chain dominance logic to avoid over-promoting bootstrap-heavy boundary cases to malicious. If anchor and rewrite clusters are available, the final module promotes a lingering suspicious anchor to malicious only when rewrites stabilize malicious with sufficient confidence and no benign label exists in the cluster (Lv et al., 28 Apr 2026).

The evaluation uses SkillGuardBench plus two public-ecosystem extensions, yielding 581 packages overall: 253 clean, 95 risk seeds, and 233 rewrites. Five evaluation views are reported: Main (401), All-HO (404), Int.-stress (344), Boundary (284), and Ext.-eco (254). On the 404-package held-out aggregate, SkillGuard-Robust reaches 97.30% overall exact match, 98.33% malicious-risk recall, and 98.89% attack exact consistency. On the 254-package external-ecosystem view, it reaches 99.66%, 100.00%, and 100.00%, respectively (Lv et al., 28 Apr 2026).

The baseline comparison is central to the argument. A strong remote single-shot baseline, Qwen2.5-14B plus full-package, achieves 78.17% overall exact, 55.67% malicious-risk recall, and 90.00% consistency on All-HO, with the directional failure characterized as collapse from malicious to suspicious even when risks are flagged. BundleJudge improves over this but retains collapse gaps on Int.-stress, Boundary, and Ext.-eco. Ablations attribute the largest gains to semantic verification, medium-scope repair to chain arbitration, and narrow residual removal to anchor consolidation (Lv et al., 28 Apr 2026).

Operationally, this line recommends treating skills as packages with roles, parsing SKILL.md for permissions and entry points, scanning scripts for network I/O and subprocesses, scanning references for concealed policies or handoff language, and scanning repository context for external endpoints or privileged CI/CD hooks. Suspicious cases are to block auto-load and route an evidence pack to human reviewers; malicious cases are to be rejected and reported. The paper’s own conclusion is bounded: factorized package auditing materially improves frozen and public-ecosystem robustness, while harsher external-source transfer remains an open challenge (Lv et al., 28 Apr 2026).

4. Composition risk and path-aware security

A third line broadens SkillFortify from isolated artifacts to composed execution paths. “Benign in Isolation, Harmful in Composition” formalizes Skill Composition Risk (SCR) as risk emerging when outputs, trust signals, authorization cues, or side effects from one skill influence later invocations through shared context (Xie et al., 13 Jun 2026). The ecosystem is modeled as a context-dependent composition graph

KK4

with composition edges

KK5

where KK6 is the output or state change of skill KK7 and KK8 is the downstream object consumed by KK9 or the planner. An activated path is

rCapD(s)r \notin Cap_D(s)0

and path risk decomposes as

rCapD(s)r \notin Cap_D(s)1

separating activation probability from conditional harmful-state probability (Xie et al., 13 Jun 2026).

This formulation is operationalized in SCR-Bench, which scores real downstream state changes in sandboxed environments rather than textual intent. SCR-CapFlow studies capability-flow composition, SCR-TrustLift studies trust-transfer composition, and SCR-AuthBlur studies authorization-confusion composition. For capability flow, success requires that an upstream discovery skill identify a concrete target, a downstream execution skill produce a side effect on that same target, and the sandbox verify target matching:

rCapD(s)r \notin Cap_D(s)2

For trust transfer, endorsement lift is defined as rCapD(s)r \notin Cap_D(s)3, and for authorization confusion the contamination effect is rCapD(s)r \notin Cap_D(s)4 (Xie et al., 13 Jun 2026).

The empirical results show why isolated vetting is inadequate. In SCR-CapFlow, Control and A-Only yield 0% ASR across all backends, and B-Only averages 1.4%, yet A+B Neutral reaches 33.6% average ASR and A+B Explicit reaches 35.9%; DeepSeek-V4 exceeds 90% ASR in both composed conditions (Xie et al., 13 Jun 2026). In SCR-TrustLift, Control ASR is near zero on four of five backends, but endorsed ASR averages 83.89%, with 100.00% on Opus-4.5 and MiniMax-M2.7, 96.51% on GPT-5.4, and 97.76% on Gemini 3.1 Pro Preview (Xie et al., 13 Jun 2026). In SCR-AuthBlur, average risky-approval rates rise from 15.7% at L0 to 27.0% at L1 and 34.0% at L3, with the L1 increase corresponding to a 71.8% relative rise over the L0 isolated baseline (Xie et al., 13 Jun 2026).

The path-aware SkillFortify architecture derived from these results includes a skill registry with security metadata, a composition risk analyzer building rCapD(s)r \notin Cap_D(s)5, a path simulator and sandbox, a trust and authorization policy engine, a capability-flow checker, telemetry with provenance logging, and risk aggregation using multi-hop ecosystem-level risk

rCapD(s)r \notin Cap_D(s)6

The stated design principles are path-aware vetting, least privilege and capability scoping, context isolation, trust-signal management, authorization boundary hardening, runtime interposition, and path-level monitoring (Xie et al., 13 Jun 2026).

The conceptual significance is that a skill may be benign in isolation yet unsafe in composition. This directly challenges artifact-centric security pipelines and suggests that review, auditing, and runtime enforcement must all operate at the level of activated paths rather than solely at the level of files or repositories.

5. Portable secure compilation and compile-time hardening

Another SkillFortify line focuses less on auditing and more on compilation. The SkCC work argues that nearly all skills exist as a single, format-agnostic Markdown version even though different frameworks exhibit starkly different sensitivities to formatting, with up to 40% performance variation from format changes alone (Ouyang et al., 5 May 2026). It also cites prior audits reporting that 37% of 3,984 community skills contain security vulnerabilities, including 76 confirmed malicious payloads, and that nearly one-third degrade agent performance because of formatting errors or missing guardrails (Ouyang et al., 5 May 2026).

SkCC introduces SkIR, a strongly-typed intermediate representation that decouples skill semantics from platform-specific formatting, and a four-phase pipeline: Frontend, IR Construction, Analyzer, and Backend. The Frontend parses YAML frontmatter and Markdown into a raw AST and normalized metadata; IR Construction lowers that representation into SkIR and computes properties such as nested data depth; the Analyzer performs schema validation, dependency validation, permission auditing, Anti-Skill Injection, and security level classification; and the Backend emits platform-native artifacts for Claude, Codex, Gemini, and Kimi together with a progressive routing manifest (Ouyang et al., 5 May 2026).

Security hardening occurs in the Analyzer through compile-time constraint insertion. The paper lists four rule families: HTTP safety, HTML parsing safety, DB safety, and loop safety. The stated invariants include a 10-second timeout and at most 3 retries on HTTP 403, a loop maximum iteration bound of 1000, and user confirmation plus affected-row display for destructive DB operations such as DROP, DELETE, and TRUNCATE. Constraint preservation and backend preservation are explicit design properties: Analyzer augments constraints without removing existing ones, and emitters must serialize all constraints rather than dropping them (Ouyang et al., 5 May 2026).

From a software-engineering perspective, the IR is intended to reduce adaptation complexity from

rCapD(s)r \notin Cap_D(s)7

to

rCapD(s)r \notin Cap_D(s)8

where rCapD(s)r \notin Cap_D(s)9 is the number of skills and rr0 is the number of target platforms. The claim is that Frontend and Analyzer run once per skill, while backends are reused across platforms (Ouyang et al., 5 May 2026).

Empirically, on SkillsBench, compiled skills improve pass rates from 21.1% to 33.3% on Claude Code and from 35.1% to 48.7% on Kimi CLI. Compilation latency averages 8.93 ms, Anti-Skill Injection triggers in 221 of 233 skills, or 94.8%, and runtime token savings range from 10% to 46% across platforms. Additional results report Claude token usage decreasing from 0.84M to 0.65M while reward rises from 0.245 to 0.378, Codex execution time dropping from 871 s to 500 s, and Gemini input tokens dropping from 530,586 to 418,762 (Ouyang et al., 5 May 2026).

The ablation result is important: the same Kimi-compiled format does not transfer uniformly to different models, with strong gains on kimi-k2.5 but negligible or inconsistent effects on glm-5.1 and deepseek-v4-flash. This supports the paper’s conclusion that multi-backend compilation is essential and that format sensitivity is model-dependent rather than universal (Ouyang et al., 5 May 2026).

6. Capability strengthening, alignment preservation, and self-evolving skills

Beyond artifact security, the SkillFortify literature also addresses how skills and skill-conditioned systems are improved over time. One strand integrates GradShield to preserve safety alignment during capability fine-tuning (Hu et al., 13 May 2026). The method computes a Finetuning Implicit Harmfulness Score (FIHS) for each example,

rr1

where the safety proxy is the start-token logit gap

rr2

High-FIHS points are filtered by an adaptive thresholding algorithm based on a Gaussian or two-component GMM, followed by binary search if safety or utility targets are not met. The paper reports that GradShield consistently maintains ASR below rr3 while preserving utility, including results such as ASR 0.01 with unchanged utility on LATharm + Samsum and ASR 0.01 ± 0.008 on Identity Shift + Samsum, where no defense yields ASR 0.75 ± 0.116. Typical overhead is about 25% for a 4-epoch job, and near-zero on benign datasets when the initial safety check passes (Hu et al., 13 May 2026).

A second strand, SkillForge, addresses domain-specific skill creation and self-evolution in cloud technical support (Liu et al., 9 Apr 2026). It defines an end-to-end creation-evaluation-refinement loop centered on a Domain-Contextualized Skill Creator plus a three-stage self-evolution pipeline of Failure Analyzer, Skill Diagnostician, and Skill Optimizer. Skills are grounded in historical ticket dialogues, tool registries, internal knowledge bases, and ticket-cited references. Bad cases are diagnosed along four dimensions—knowledge, tool, clarification, and style—and then mapped to concrete edits in SKILL.md, references/, and tools.json. Evaluation spans five scenarios—Account, Domain, DNS, OSS, and ECS—over 1,883 tickets and 3,737 tasks. The domain-contextualized creator improves average Strict Consistency Rate by +4.3 percentage points over a generic creator, and the self-evolution loop yields approximately +9–12 percentage point Strict gains within three iterations depending on the starting point. SkillForge v3 is reported to exceed a mature legacy decision-tree plus expert-prompts system by +13.76 percentage points Strict CR (Liu et al., 9 Apr 2026). Knowledge failures decline early and then plateau, which the authors attribute to knowledge-base coverage limits.

A third strand, DivSkill-SQL, specializes SkillFortify to Text-to-SQL ensembles (Zhu et al., 20 May 2026). Here the objective is complementary skill construction without model fine-tuning. For a skill set rr4,

rr5

Residual skill optimization trains each new skill on the examples all current skills fail on, aligning empirical optimization with the marginal gain

rr6

The paper proves a monotone submodular greedy guarantee,

rr7

for the surrogate objective. In practice, with rr8, temperature 0.2, up to 12 reasoning turns and 20 SQL executions, the method improves selected accuracy by up to +11.1 points on Snowflake and +8.3 on BigQuery over the strongest ensemble baseline, transfers across Snowflake, BigQuery, and SQLite without retraining, and reduces hallucinated schema references and missing-function calls by up to rr9 (Zhu et al., 20 May 2026).

Taken together, these lines show that SkillFortify extends beyond static security scanning. It also covers safe capability strengthening, domain-grounded skill synthesis, iterative repair from deployment feedback, and residual optimization of complementary behaviors. This suggests that fortification is treated not merely as blocking malicious content, but as maintaining trustworthy performance under adaptation, transfer, and continued deployment.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SkillFortify.