Search papers, labs, and topics across Lattice.
This paper introduces PhantomSkill, an attack framework that exploits the vulnerabilities in agent skill ecosystems by embedding malicious behavior within auxiliary resources rather than the skill's textual description. The core technique, VulMask, cleverly transforms overtly malicious scripts into seemingly benign code that activates harmful behavior only under specific trigger conditions, significantly reducing detection rates by automated reviewers. The findings highlight the urgent need for enhanced security measures in skill ecosystems, advocating for resource-level vetting and execution-time containment to mitigate these newly identified risks.
Malicious code can now masquerade as ordinary vulnerabilities, evading detection while still compromising agent skills.
Agent skills allow LLM-based coding agents to acquire domain-specific capabilities from third-party packages, but they also introduce a new supply-chain attack surface. We present PhantomSkill, an attack framework that hides malicious behavior in a skill's auxiliary resources rather than in its textual description. Its core technique, VulMask, rewrites overt malicious scripts into vulnerability-shaped implementations whose malicious behavior is activated only under attacker-controlled trigger conditions. This design shifts the visible signal from explicit malicious intent to ordinary-looking insecure code. Across representative host skills, attack goals, coding agents, generation models, and automated reviewers, VulMask preserves benign utility while reducing warning and malware-level detection compared with overt malicious scripts. Our results show that skill ecosystems require resource-level vetting, execution-time containment, and security policies that treat exploitable vulnerabilities in agent skills as potential malicious payloads.