{"paper":{"title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","submitted_at":"2026-05-13T17:04:17Z","abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e301ace7786e22db6b4bbfa20ea3ff43312d0700c1bb7921821e5fa970a58012"},"source":{"id":"2605.13940","kind":"arxiv","version":1},"verdict":{"id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T05:37:52.511851Z","strongest_claim":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","one_line_summary":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","pith_extraction_headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps."},"references":{"count":13,"sample":[{"doi":"","year":null,"title":"AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents","work_id":"788aad10-421f-48d7-886c-792665914606","ref_index":1,"cited_arxiv_id":"2410.09024","is_internal_anchor":true},{"doi":"","year":null,"title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","work_id":"8f85f345-642a-4ab7-910e-fc90bf0dee3c","ref_index":2,"cited_arxiv_id":"2604.03070","is_internal_anchor":true},{"doi":"","year":null,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":3,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"","year":null,"title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","work_id":"1f55fc6f-2f7e-49fd-bbf2-2584a93f2c95","ref_index":4,"cited_arxiv_id":"2604.02837","is_internal_anchor":true},{"doi":"","year":null,"title":"Identifying the Risks of LM Agents with an LM-Emulated Sandbox","work_id":"3d4c3b66-d749-4939-b1bc-62b10b2ebbb6","ref_index":5,"cited_arxiv_id":"2309.15817","is_internal_anchor":true}],"resolved_work":13,"snapshot_sha256":"a7058e58b23dfd5ce82c8cc058f903ceb03476bda2b2ec97330adbe39e8eb617","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}