SkillScope: Toward Fine-Grained Least-Privilege Enforcement for Agent Skills

TL;DR

SkillScope is a framework that enforces fine-grained least-privilege constraints on agent skills by analyzing instruction and code-level actions, significantly reducing over-privilege violations.

Contribution

It introduces a graph-based analysis approach for detecting and constraining over-privileged actions in agent skills, addressing task-conditioned privilege issues.

Findings

Achieves 94.53% F1 in skill over-privilege detection.

Validates over-privileged behaviors in 7,039 skills from real-world data.

Reduces over-privileged action instances by 88.56% while maintaining task success.

Abstract

Agent Skills have become a practical way to extend LLM agents by packaging metadata, natural-language instructions, and executable resources into reusable capability bundles. However, this growing Skill ecosystem introduces a new compliance risk: a Skill may perform high-impact actions that exceed the minimum necessary scope of the user's current task, thereby violating least-privilege. Existing skill detection approaches are insufficient for this problem because it is inherently task-conditioned: the same action may be necessary under one user prompt but over-privileged under another. In this paper, we present SkillScope, a framework for fine-grained least-privilege enforcement in Agent Skills. SkillScope adopts a graph-based analysis approach that models instruction-level procedures and code-level operations as fine-grained action nodes. It extracts potential over-privilege candidates, validates them under graph-instantiated user tasks through replay-based analysis, and constrains validated over-privileged actions via control-flow privilege constraining. We evaluate SkillScope through effectiveness experiments and large-scale real-world measurement. SkillScope achieves 94.53% F1 for skill over-privilege detection. In the wild, SkillScope validates 7,039 Skills with over-privileged behaviors, showing that least-privilege violations are prevalent in current Skill ecosystems. In the privilege-constraining evaluation, SkillScope reduces triggered over-privileged action-in-task instances by 88.56% while preserving legitimate task completion.