π€ AI Summary
This study addresses the emergent security risks arising from the compositional use of multiple skills by large language model (LLM) agentsβrisks that remain undetectable under conventional isolated evaluations. To this end, the work introduces the novel concept of Skill Composition Risk (SCR) and presents SCR-Bench, a benchmark that enables dynamic assessment of collaborative vulnerabilities through path-level state tracking and downstream impact analysis within sandboxed environments. The paper establishes an innovative path-level security evaluation paradigm and designs a comprehensive testing framework encompassing three representative threat scenarios: capability flow, trust transfer, and authorization confusion. Experimental results demonstrate substantially elevated attack success rates in compositional settings: 33.6% for SCR-CapFlow, over 96.5% for SCR-TrustLift, and a 71.8% increase in risky approval rates for SCR-AuthBlur compared to baseline conditions.
π Abstract
Skills are becoming the capability layer through which LLM agents turn plans into actions, but their use introduces security risks such as data leakage, unauthorized operations, and tool misuse. Existing vetting usually evaluates each skill in isolation, while real agent tasks often invoke multiple skills in a shared execution context. This creates Skill Composition Risk (SCR): a skill that appears benign alone can become harmful when its outputs, trust signals, authorization cues, or side effects influence later invocations along an activated path. We introduce SCR-Bench to evaluate this risk in controlled, sandboxed skill environments. Rather than relying only on textual intent or surface behavior, SCR-Bench records downstream state changes and path-level outcomes across composed skill executions. It contains three sub-benchmarks: SCR-CapFlow for capability-flow composition, SCR-TrustLift for trust-transfer composition, and SCR-AuthBlur for authorization-confusion composition. Across SCR-Bench, composed paths expose risks that are largely absent under isolated evaluation. In SCR-CapFlow, attack success rate reaches 33.6 percent under composition, compared with near-zero isolated baselines. In SCR-TrustLift, attack success rate exceeds 96.5 percent on four of five backends. In SCR-AuthBlur, the risky-approval rate increases by 71.8 percent relative to the L0 isolated baseline under the L1 context setting. These results show that agent skill security should be assessed at the level of activated paths rather than isolated artifacts. SCR and SCR-Bench provide a foundation for path-aware risk evaluation and defense in LLM agent skill ecosystems. Benchmark: https://github.com/saint-viperx/SCR_Bench.