🤖 AI Summary
This work uncovers a novel security threat in agentic AI systems stemming from dynamic skill-loading mechanisms: attackers can inject malicious instructions into skill documentation files (e.g., SKILL.md) to covertly manipulate benign skills at runtime, enabling stealthy exploitation. To counter this, the authors propose a kernel-level defense that enforces read-only mounting of skill directories, effectively blocking such attacks without requiring any modifications to application code. Empirical evaluation across popular agent frameworks—including OpenHands and Claude Code—demonstrates the high success rate of the proposed attack vector, while confirming that the defense completely prevents malicious injection without impairing legitimate skill functionality. This study is the first to systematically characterize and mitigate this emerging attack surface in agentic AI systems.
📝 Abstract
Skills are a key enabling component of agentic AI. While they enhance agents' capabilities, they also introduce new attack surfaces. In this work, we investigate one such attack surface by demonstrating dynamic malicious skills. By embedding malicious instructions in natural-language documentation (e.g., SKILL.md), an attacker can induce an agent to dynamically inject malicious logic into an otherwise benign skill during execution. We evaluate this attack across agentic frameworks such as OpenHands and Claude Code, showing that dynamic malicious skills can successfully introduce a range of malicious behaviors at runtime with non-trivial success rates. To mitigate this vulnerability, we propose a system-level defense that prevents dynamic modification of skills using operating system kernel-enforced read-only mounts. Our evaluation demonstrates that this defense effectively blocks dynamic malicious skills while preserving the functionality of benign skills.