Malicious Agent Skills in the Wild: A Large-Scale Security Empirical Study

TL;DR

This study constructs and analyzes a large dataset of malicious skills in AI agents, revealing prevalent attack types, vulnerabilities, and actor behaviors to inform security improvements.

Contribution

It is the first to behaviorally verify and characterize malicious agent skills at scale, providing a labeled dataset and insights into attack archetypes and vulnerabilities.

Findings

157 malicious skills confirmed out of 98,380 analyzed

Malicious skills average 4 vulnerabilities and span multiple attack phases

Two main attack archetypes identified: Data Thieves and Agent Hijackers

Abstract

Third-party agent skills extend LLM-based agents with instruction files and executable code that run on users' machines. Skills execute with user privileges and are distributed through community registries with minimal vetting, but no ground-truth dataset exists to characterize the resulting threats. We construct the first labeled dataset of malicious agent skills by behaviorally verifying 98,380 skills from two community registries, confirming 157 malicious skills with 632 vulnerabilities. These attacks are not incidental. Malicious skills average 4.03 vulnerabilities across a median of three kill chain phases, and the ecosystem has split into two archetypes: Data Thieves that exfiltrate credentials through supply chain techniques, and Agent Hijackers that subvert agent decision-making through instruction manipulation. A single actor accounts for 54.1\% of confirmed cases through templated brand impersonation. Shadow features, capabilities absent from public documentation, appear in 0\% of basic attacks but 100\% of advanced ones; several skills go further by exploiting the AI platform's own hook system and permission flags. Responsible disclosure led to 93.6\% removal within 30 days. We release the dataset and analysis pipeline to support future work on agent skill security.