Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis

TL;DR

This paper provides the first comprehensive security analysis of the Agent Skills framework, identifying attack surfaces, constructing a threat taxonomy, and offering security recommendations for LLM-based agent skill ecosystems.

Contribution

It introduces a lifecycle-based threat taxonomy for Agent Skills, analyzes real-world incidents, and discusses security challenges and defenses for this emerging standard.

Findings

Seven threat categories and seventeen scenarios identified.

Most severe threats stem from structural properties of the framework.

Security issues cannot be fully mitigated through incremental measures.

Abstract

Agent Skills is an emerging open standard that defines a modular, filesystem-based packaging format enabling LLM-based agents to acquire domain-specific expertise on demand. Despite rapid adoption across multiple agentic platforms and the emergence of large community marketplaces, the security properties of Agent Skills have not been systematically studied. This paper presents the first comprehensive security analysis of the Agent Skills framework. We define the full lifecycle of an Agent Skill across four phases -- Creation, Distribution, Deployment, and Execution -- and identify the structural attack surface each phase introduces. Building on this lifecycle analysis, we construct a threat taxonomy comprising seven categories and seventeen scenarios organized across three attack layers, grounded in both architectural analysis and real-world evidence. We validate the taxonomy through analysis of five confirmed security incidents in the Agent Skills ecosystem. Based on these findings, we discuss defense directions for each threat category, identify open research challenges, and provide actionable recommendations for stakeholders. Our analysis reveals that the most severe threats arise from structural properties of the framework itself, including the absence of a data-instruction boundary, a single-approval persistent trust model, and the lack of mandatory marketplace security review, and cannot be addressed through incremental mitigations alone.