Under the Hood of SKILL.md: Semantic Supply-chain Attacks on AI Agent Skill Registry

TL;DR

This paper reveals vulnerabilities in AI agent skill registries, showing how semantic manipulations of SKILL.md files can influence skill discovery, selection, and governance, posing security risks.

Contribution

It systematically studies semantic supply-chain attacks on SKILL.md-based AI agent skill registries across multiple lifecycle stages, highlighting operational risks.

Findings

Adversarial triggers can manipulate skill visibility with up to 86% success.

Description framing biases agent skill selection in 77.6% of trials.

Semantic evasion can bypass blocking in 36.5%-100% of cases.

Abstract

Autonomous AI agents increasingly extend their capabilities through Agent Skills: modular filesystem packages whose SKILL.md files describe when and how agents should use them. While this design enables scalable, on-demand capability expansion, it also introduces a semantic supply-chain risk in which natural-language metadata and instructions can affect which skills are admitted, surfaced, selected, and loaded. We study SKILL.md - only attacks across three registry-facing stages of the Agent Skill lifecycle, using real ClawHub skills and realistic registry mechanisms. In Discovery, short textual triggers can manipulate embedding-based retrieval and improve adversarial skill visibility, achieving up to 86% pairwise win rate and 80% Top-10 placement. In Selection, description-only framing biases agents toward functionally equivalent adversarial variants, which are selected in 77.6% of paired trials on average. In Governance, semantic evasion strategies cause malicious skills to avoid a blocking verdict in 36.5%-100% of cases. Overall, our results show that SKILL.md is not passive documentation but operational text that shapes which third-party capabilities agents find, trust, and use.