This study addresses the emerging supply-chain threat of backdoor attacks introduced through third-party skill-embedded models in agent ecosystems, a risk inadequately mitigated by existing defenses. The work formally characterizes the “skill-embedded model” attack surface and introduces BadSkill, a novel attack framework that leverages semantic-composition triggers and a joint optimization objective—integrating classification loss, boundary separation, and poison focusing—to implant highly stealthy backdoors at low poisoning rates. Evaluated across five model families and eight architectures (ranging from 494M to 7.1B parameters), BadSkill achieves an average attack success rate of 99.5%, with 91.7% success at only 3% poisoning rate, demonstrating strong robustness against textual perturbations and model scaling.

Agent ecosystems increasingly rely on installable skills to extend functionality, and some skills bundle learned model artifacts as part of their execution logic. This creates a supply-chain risk that is not captured by prompt injection or ordinary plugin misuse: a third-party skill may appear benign while concealing malicious behavior inside its bundled model. We present BadSkill, a backdoor attack formulation that targets this model-in-skill threat surface. In BadSkill, an adversary publishes a seemingly benign skill whose embedded model is backdoor-fine-tuned to activate a hidden payload only when routine skill parameters satisfy attacker-chosen semantic trigger combinations. To realize this attack, we train the embedded classifier with a composite objective that combines classification loss, margin-based separation, and poison-focused optimization, and evaluate it in an OpenClaw-inspired simulation environment that preserves third-party skill installation and execution while enabling controlled multi-model study. Our benchmark spans 13 skills, including 8 triggered tasks and 5 non-trigger control skills, with a combined main evaluation set of 571 negative-class queries and 396 trigger-aligned queries. Across eight architectures (494M--7.1B parameters) from five model families, BadSkill achieves up to 99.5\% average attack success rate (ASR) across the eight triggered skills while maintaining strong benign-side accuracy on negative-class queries. In poison-rate sweeps on the standard test split, a 3\% poison rate already yields 91.7\% ASR. The attack remains effective across the evaluated model scales and under five text perturbation types. These findings identify model-bearing skills as a distinct model supply-chain risk in agent ecosystems and motivate stronger provenance verification and behavioral vetting for third-party skill artifacts.