The authors study semantic supply-chain attacks on AI agent skill registries, where adversaries manipulate the natural-language SKILL.md metadata files that describe when and how agents should use modular capabilities. They demonstrate attacks across three stages: in Discovery, short textual triggers manipulate embedding-based retrieval to boost adversarial skill visibility; in Selection, description framing biases agents toward malicious variants; and in Governance, semantic evasion helps malicious skills bypass blocking. Experiments with real skills show adversarial variants achieve 77.6% selection rate and evade detection in 36.5-100% of cases.
Main takeaways:
- Agent skill registries use natural-language metadata (SKILL.md files) to describe capabilities, but this text is operational—it affects discovery, selection, and governance.
- Short textual triggers can manipulate embedding-based retrieval to make adversarial skills appear in top-10 results 80% of the time.
- Description-only framing causes agents to select functionally equivalent adversarial variants in 77.6% of paired trials on average.
- Semantic evasion strategies (rewording descriptions) help malicious skills avoid blocking in 36.5-100% of test cases.
- The attacks exploit the fact that natural-language descriptions are both human-readable and machine-actionable, creating a semantic attack surface.