A July 16 arXiv preprint evaluated 327 real-world AI agent skills and found security vulnerabilities at multiple stages of their lifecycle, beyond the execution phase where most research stops [S1]. Two days earlier, NVIDIA published SkillSpector, an open-source scanner for detecting malicious patterns in agent skills [P3]. The timing raises a question every team building AI agents should be asking: if the modular capabilities your agent downloads and runs can be compromised before they ever execute, who is checking?
The blind spot in agent security
Reusable skills are increasingly serving as core components for LLM agents, enabling the packaging, sharing, and reuse of capabilities across different applications [S1]. Think of a skill as a plugin for an AI agent: one might handle web searches, another might parse invoices, a third might draft emails. An agent loads the ones it needs, when it needs them.
Until now, security research on AI agents has focused on two threats: prompt injection, where malicious input tricks the model, and runtime execution, where code actually runs [S1]. That coverage makes sense. Those are the most visible attack vectors. But it leaves the rest of a skill's life unexamined.
The unpeer-reviewed paper [S1] outlines five lifecycle phases where attacks might happen. The stages include repository admission, where a skill is accepted into a library; semantic retrieval, where the agent locates the appropriate skill; planner selection, where the agent chooses to employ it; execution, where the skill runs; and skill evolution, where the skill undergoes changes over time [S1].
The finding: vulnerabilities arise at multiple stages beyond execution [S1]. For instance, a harmful skill could bypass admission controls and act differently based on the retrieving agent. Alternatively, a modified skill could begin safely and become malicious following an update. These are supply-chain risks, closer to what software engineers worry about with npm packages than what AI researchers usually study.
NVIDIA's scanner lands first
Released on July 14 via GitHub, NVIDIA's SkillSpector functions as a Python-based security tool for scanning AI agent skills [P3]. The tool identifies security flaws, harmful behaviors, and risks within skill packages. The repository has already drawn 13,156 stars and 1,066 forks in its first days [P3], suggesting the developer community recognises the problem even before academic frameworks catch up.
A separate preprint titled "Towards Secure Agent Skills" outlines Agent Skills as a developing open standard using a modular, filesystem-based packaging format, allowing LLM agents to gain specific expertise as needed [P4]. That paper notes rapid adoption across multiple agentic platforms. Additionally, OWASP has introduced its "Let's Threat Model" project, designed to assist teams in spotting threats within agentic AI systems during the initial development phases [P5].
The pieces are converging. A packaging standard, a threat taxonomy, an industry scanner, and an OWASP project all appeared within a narrow window. The skill-layer gap this preprint identifies exacerbates the existing cost asymmetry in AI security: each shared skill is a new entry point that defenders must monitor, but attackers only need one to slip through.
What it means
For anyone building or using AI agents, the core insight is practical: treat each skill as a dependency. And like any dependency in software, it carries supply-chain risk.
Called SkillSec-Eval, the framework represents the authors' method for systematically assessing this risk throughout the entire lifecycle [S1]. It considers every phase, from admission through evolution, as a possible attack vector. That is a shift from treating agent security as a runtime-only problem to treating it as a lifecycle problem.
If you already run dependency scanners on your code repositories, the mental model transfers. The difference is that agent skills can be semantically retrieved and selected by the model itself, which means the attack surface includes how the agent searches for and chooses skills, and what the skills contain.
What it means for business
A two-person firm building a custom agent on top of an open-weight model faces a concrete new task: vetting the skills that agent loads. Today, most teams pull skills from public repositories with little scrutiny, the way early JavaScript projects pulled npm packages without lockfiles.
For a suburban agency using an agent platform that auto-loads skills, the risk is more passive but no less real. A compromised skill in the platform's repository could exfiltrate client data or manipulate outputs without anyone noticing. The agency's due diligence question shifts from "is the model safe?" to "is the skill library curated?"
Larger organisations face the evolution problem directly. Skills that update automatically can drift from safe to unsafe between audits. SkillSpector [P3] offers a starting point for automated scanning, but it is a community tool, not an enterprise-grade pipeline. Teams shipping agents to production should treat skill security the way they treat container image scanning: continuous and automated, blocking on critical findings.
What we don't know yet
The preprint has not been peer-reviewed, and all findings are self-reported by the authors [S1]. The abstract does not disclose specific attack success rates or defense efficacy metrics, so we cannot assess how severe the vulnerabilities are in quantitative terms.
Although the 327-skill repository reflects real-world conditions, the specific platforms or vendors providing these skills remain unknown. It is also unclear how representative the sample is or if the proposed threat taxonomy will be adopted as an industry standard instead of staying an academic exercise.
While NVIDIA's SkillSpector is expanding rapidly, it remains a nascent open-source initiative with 75 unresolved issues [P3]. Its detection coverage and false-positive rate are not yet documented in a published evaluation.
The next concrete signal to watch: whether the SkillSec-Eval framework or a derivative gets adopted by a major agent platform, and whether peer review confirms the lifecycle-stage vulnerabilities the preprint reports. Until then, the safest assumption is that agent skills are dependencies, and dependencies need scanning.
If this kind of reporting helps you see around corners, subscribe to keep reading.
Sources
- [S1] Agent Skill Security: Threat Models, Attacks, Defenses, and Evaluation — arXiv preprint (cs.AI, cs.LG) (attributed)
- [P2] Agent Skill Security: Threat Models, Attacks, Defenses, and Evaluation — Agent Skill Security: Threat Models, Attacks, Defenses, and Evaluation (attributed)
- [P3] NVIDIA/SkillSpector — NVIDIA/SkillSpector (attributed)
- [P4] Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis — Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis (attributed)
- [P5] OWASP/www-project-lets-threat-model — OWASP/www-project-lets-threat-model (attributed)
More from Not A Tech Guy
- Vulnerability scanner divergence explained in new arXiv framework
- LLM framework automates adversary emulation at 84% success
- RL agent stabilises pendulum beyond Kapitza with Lyapunov reward
Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.