Hacker News
arXiv 2601.10338: 26.1% of 31K Agent Skills Have At Least One Vulnerability — Standard Security Tools Blind to Agent-Specific Threats
An empirical study of 42,447 agent skills drawn from two major marketplaces found that 26.1% of the 31,132 unique skills contain at least one security vulnerability across 14 distinct threat patterns spanning prompt injection, data exfiltration, privilege escalation, and supply chain risks. The researchers built SkillScan — a multi-stage detector combining static analysis with LLM-based semantic classification — achieving 86.7% precision and 82.5% recall. Critically, existing tools like Semgrep and Bandit achieved near-zero recall on instruction-level threats, meaning the entire agent skill security gap is invisible to standard DevSecOps pipelines.
Source
↳ Follow the thread