This work addresses the absence of systematic security research in current agent skills frameworks, which introduces structural risks. It proposes the first comprehensive security analysis framework spanning the entire lifecycle—creation, distribution, deployment, and execution—and establishes a threat taxonomy encompassing three attack surfaces and seventeen threat scenarios across seven categories. Through architectural analysis and threat modeling, the study identifies inherent design flaws—such as the lack of clear boundaries between data and instructions and the persistent trust model stemming from one-time authorization—as the primary sources of high-severity risks. These findings are empirically validated against real-world security incidents, leading to concrete, targeted defense strategies and practical mitigation recommendations.

Agent Skills is an emerging open standard that defines a modular, filesystem-based packaging format enabling LLM-based agents to acquire domain-specific expertise on demand. Despite rapid adoption across multiple agentic platforms and the emergence of large community marketplaces, the security properties of Agent Skills have not been systematically studied. This paper presents the first comprehensive security analysis of the Agent Skills framework. We define the full lifecycle of an Agent Skill across four phases -- Creation, Distribution, Deployment, and Execution -- and identify the structural attack surface each phase introduces. Building on this lifecycle analysis, we construct a threat taxonomy comprising seven categories and seventeen scenarios organized across three attack layers, grounded in both architectural analysis and real-world evidence. We validate the taxonomy through analysis of five confirmed security incidents in the Agent Skills ecosystem. Based on these findings, we discuss defense directions for each threat category, identify open research challenges, and provide actionable recommendations for stakeholders. Our analysis reveals that the most severe threats arise from structural properties of the framework itself, including the absence of a data-instruction boundary, a single-approval persistent trust model, and the lack of mandatory marketplace security review, and cannot be addressed through incremental mitigations alone.