pith. sign in
Pith Number

pith:BV5INSAK

pith:2026:BV5INSAKZCOC4HDWOVTUZ35OJ2
not attested not anchored not stored refs resolved

Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale

Gelei Deng, Guangquan Xu, Leo Zhang, Ruitao Feng, Weizhe Wang, Yao Zhang, Yi Liu, Yuekang Li

More than one in four AI agent skills contain at least one security vulnerability.

arxiv:2601.10338 v1 · 2026-01-15 · cs.CR · cs.AI · cs.CL · cs.SE

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{BV5INSAKZCOC4HDWOVTUZ35OJ2}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

26.1% of skills contain at least one vulnerability, spanning 14 distinct patterns across four categories: prompt injection, data exfiltration, privilege escalation, and supply chain risks. Data exfiltration (13.3%) and privilege escalation (11.8%) are most prevalent, while 5.2% of skills exhibit high-severity patterns strongly suggesting malicious intent.

C2weakest assumption

That SkillScan's static analysis plus LLM semantic classification accurately flags real vulnerabilities at the stated precision and recall without significant selection bias in the 31,132 analyzed skills or over-representation of risky marketplaces.

C3one line summary

26.1% of analyzed AI agent skills contain vulnerabilities across 14 patterns, with executable scripts raising risk 2.12x, based on static and LLM analysis of 31k skills.

References

42 extracted · 42 resolved · 1 Pith anchors

[1] Anonymous. 2025. SkillScan: Dataset, Detection Tools, and Collection Pipeline for Agent Skills Security Research. https://anonymous.4open.science/r/skillscan/. Anonymous repository containing annotate 2025
[2] Anthropic. 2024. Model Context Protocol Specification. https:// modelcontextprotocol.io/. Open protocol for AI-tool integration 2024
[3] Anthropic. 2025. Agent Skills Open Standard Specification. https://agentskills.io. Open standard for portable agent skills, released October 2025 2025
[4] Anthropic. 2025. Claude Code Documentation. https://docs.anthropic.com/en/ docs/claude-code. Official Claude Code documentation. Conference’17, July 2017, Washington, DC, USA Yi Liu, Weizhe Wang, Ruit 2025
[5] Anthropic. 2025. Claude Code Skills Documentation. https://docs.anthropic.com/ en/docs/claude-code/skills. Official documentation for agent skills architecture 2025

Formal links

1 machine-checked theorem link

Cited by

23 papers in Pith

SkillJect: Effectively Automating Skill-Based Prompt Injection for Skill-Enabled Agents
SearchSkill: Teaching LLMs to Use Search Tools with Evolving Skill Banks
Exploiting LLM Agent Supply Chains via Payload-less Skills
Safety in Embodied AI: A Survey of Risks, Attacks, and Defenses
Do Skill Descriptions Tell the Truth? Detecting Undisclosed Security Behaviors in Code-Backed LLM Skills
Receipt and verification
First computed 2026-05-17T23:39:19.831777Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

0d7a86c80ac89c2e1c7675674cefae4e8e32bd4585ec730df12ea994b8af1ff5

Aliases

arxiv: 2601.10338 · arxiv_version: 2601.10338v1 · doi: 10.48550/arxiv.2601.10338 · pith_short_12: BV5INSAKZCOC · pith_short_16: BV5INSAKZCOC4HDW · pith_short_8: BV5INSAK
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/BV5INSAKZCOC4HDWOVTUZ35OJ2 \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 0d7a86c80ac89c2e1c7675674cefae4e8e32bd4585ec730df12ea994b8af1ff5
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "72e088c7de8189bb85e81c2f2d2abb4b8e2aa3c1c52d1382374942b0634228bc",
    "cross_cats_sorted": [
      "cs.AI",
      "cs.CL",
      "cs.SE"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-01-15T12:31:52Z",
    "title_canon_sha256": "d301125dc87ce9e878f906e51ee67ab41a85a90413fbe79e2ad235c703f55d4a"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2601.10338",
    "kind": "arxiv",
    "version": 1
  }
}