Taxonomy of vulnerability categories in agent skills

Characterize and classify the categories of security vulnerabilities that occur in agent skills, which combine SKILL.md instruction files and optionally bundled executable scripts, to establish a systematic taxonomy of the distinct patterns present in this ecosystem.

Background

Agent skills introduce a different threat model from prior LLM-focused studies by bundling instructions with executable code and operating with high trust, enabling data exfiltration, privilege escalation, and supply chain risks.

The paper emphasizes a lack of a systematic understanding of the types of vulnerabilities in this ecosystem, motivating the development of a grounded taxonomy derived from large-scale analysis.

References

Basic questions remain open. What categories of vulnerabilities exist?

— Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale (2601.10338 - Liu et al., 15 Jan 2026) in Section 1 (Introduction)

Taxonomy of vulnerability categories in agent skills

Background

References

Related Problems