Search papers, labs, and topics across Lattice.
This paper investigates the vulnerabilities associated with dynamic malicious skills in agentic AI, where attackers can embed harmful instructions within natural-language documentation to alter the behavior of otherwise benign skills during execution. The authors evaluate this attack across various agentic frameworks, revealing that such malicious skills can successfully introduce harmful behaviors at runtime with significant success rates. To counter this threat, they propose a system-level defense that employs kernel-enforced read-only mounts, effectively blocking these dynamic modifications while maintaining the functionality of benign skills.
Attackers can exploit dynamic malicious skills to inject harmful logic into agentic AI, posing a serious threat to operational integrity.
Skills are a key enabling component of agentic AI. While they enhance agents' capabilities, they also introduce new attack surfaces. In this work, we investigate one such attack surface by demonstrating dynamic malicious skills. By embedding malicious instructions in natural-language documentation (e.g., SKILL.md), an attacker can induce an agent to dynamically inject malicious logic into an otherwise benign skill during execution. We evaluate this attack across agentic frameworks such as OpenHands and Claude Code, showing that dynamic malicious skills can successfully introduce a range of malicious behaviors at runtime with non-trivial success rates. To mitigate this vulnerability, we propose a system-level defense that prevents dynamic modification of skills using operating system kernel-enforced read-only mounts. Our evaluation demonstrates that this defense effectively blocks dynamic malicious skills while preserving the functionality of benign skills.