Skip to content
Sagan

Paper

Under the Hood of SKILL.md: Semantic Supply-chain Attacks on AI Agent Skill Registry

Unreadunread

AI summary

The authors study semantic supply-chain attacks on AI agent skill registries, where adversaries manipulate the natural-language SKILL.md metadata files that describe when and how agents should use modular capabilities. They demonstrate attacks across three stages: in Discovery, short textual triggers manipulate embedding-based retrieval to boost adversarial skill visibility; in Selection, description framing biases agents toward malicious variants; and in Governance, semantic evasion helps malicious skills bypass blocking. Experiments with real skills show adversarial variants achieve 77.6% selection rate and evade detection in 36.5-100% of cases.

Main takeaways:

  • Agent skill registries use natural-language metadata (SKILL.md files) to describe capabilities, but this text is operational—it affects discovery, selection, and governance.
  • Short textual triggers can manipulate embedding-based retrieval to make adversarial skills appear in top-10 results 80% of the time.
  • Description-only framing causes agents to select functionally equivalent adversarial variants in 77.6% of paired trials on average.
  • Semantic evasion strategies (rewording descriptions) help malicious skills avoid blocking in 36.5-100% of test cases.
  • The attacks exploit the fact that natural-language descriptions are both human-readable and machine-actionable, creating a semantic attack surface.