PhantomSkill: Malicious Code Injection in Agent Skill Ecosystems

📅 2026-06-17
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a novel supply chain attack vector in large language model agent ecosystems, where third-party skill packages are vulnerable to malicious code that evades existing intent- or text-based detection mechanisms. The authors propose PhantomSkill, an attack framework that embeds malicious payloads into auxiliary skill resources and conceals them as benign exploitable vulnerabilities using a code-rewriting technique called VulMask. These payloads remain dormant until activated under attacker-controlled conditions, preserving the skill’s legitimate functionality while significantly reducing detection likelihood by current auditing tools. Experimental evaluation demonstrates PhantomSkill’s effectiveness across diverse agent frameworks, language models, and detection systems, exposing a critical gap in the ecosystem’s security posture: the absence of resource-level integrity verification in skill vetting processes.
📝 Abstract
Agent skills allow LLM-based coding agents to acquire domain-specific capabilities from third-party packages, but they also introduce a new supply-chain attack surface. We present PhantomSkill, an attack framework that hides malicious behavior in a skill's auxiliary resources rather than in its textual description. Its core technique, VulMask, rewrites overt malicious scripts into vulnerability-shaped implementations whose malicious behavior is activated only under attacker-controlled trigger conditions. This design shifts the visible signal from explicit malicious intent to ordinary-looking insecure code. Across representative host skills, attack goals, coding agents, generation models, and automated reviewers, VulMask preserves benign utility while reducing warning and malware-level detection compared with overt malicious scripts. Our results show that skill ecosystems require resource-level vetting, execution-time containment, and security policies that treat exploitable vulnerabilities in agent skills as potential malicious payloads.
Problem

Research questions and friction points this paper is trying to address.

supply-chain attack
malicious code injection
agent skills
vulnerability-shaped implementation
LLM-based coding agents
Innovation

Methods, ideas, or system contributions that make the work stand out.

PhantomSkill
VulMask
malicious code injection
agent skill ecosystems
supply-chain attack
🔎 Similar Papers
No similar papers found.