{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:BV5INSAKZCOC4HDWOVTUZ35OJ2","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"72e088c7de8189bb85e81c2f2d2abb4b8e2aa3c1c52d1382374942b0634228bc","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-01-15T12:31:52Z","title_canon_sha256":"d301125dc87ce9e878f906e51ee67ab41a85a90413fbe79e2ad235c703f55d4a"},"schema_version":"1.0","source":{"id":"2601.10338","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2601.10338","created_at":"2026-05-17T23:39:19Z"},{"alias_kind":"arxiv_version","alias_value":"2601.10338v1","created_at":"2026-05-17T23:39:19Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2601.10338","created_at":"2026-05-17T23:39:19Z"},{"alias_kind":"pith_short_12","alias_value":"BV5INSAKZCOC","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"BV5INSAKZCOC4HDW","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"BV5INSAK","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:7a1550f7668764a6aa33cecd0782607d5a2e0b5ee04f839ddffabe35146b05d2","target":"graph","created_at":"2026-05-17T23:39:19Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"26.1% of skills contain at least one vulnerability, spanning 14 distinct patterns across four categories: prompt injection, data exfiltration, privilege escalation, and supply chain risks. Data exfiltration (13.3%) and privilege escalation (11.8%) are most prevalent, while 5.2% of skills exhibit high-severity patterns strongly suggesting malicious intent."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That SkillScan's static analysis plus LLM semantic classification accurately flags real vulnerabilities at the stated precision and recall without significant selection bias in the 31,132 analyzed skills or over-representation of risky marketplaces."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"26.1% of analyzed AI agent skills contain vulnerabilities across 14 patterns, with executable scripts raising risk 2.12x, based on static and LLM analysis of 31k skills."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"More than one in four AI agent skills contain at least one security vulnerability."}],"snapshot_sha256":"56531ea2ba115c4658f2d0f20ae58675d6f4c22c39ebab5381b72be3c5e86871"},"formal_canon":{"evidence_count":1,"snapshot_sha256":"efa69e7c026d72dff9115957b2339827b079f7b06e33036fa771cd03cbe55adc"},"paper":{"abstract_excerpt":"The rise of AI agent frameworks has introduced agent skills, modular packages containing instructions and executable code that dynamically extend agent capabilities. While this architecture enables powerful customization, skills execute with implicit trust and minimal vetting, creating a significant yet uncharacterized attack surface. We conduct the first large-scale empirical security analysis of this emerging ecosystem, collecting 42,447 skills from two major marketplaces and systematically analyzing 31,132 using SkillScan, a multi-stage detection framework integrating static analysis with L","authors_text":"Gelei Deng, Guangquan Xu, Leo Zhang, Ruitao Feng, Weizhe Wang, Yao Zhang, Yi Liu, Yuekang Li","cross_cats":["cs.AI","cs.CL","cs.SE"],"headline":"More than one in four AI agent skills contain at least one security vulnerability.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-01-15T12:31:52Z","title":"Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale"},"references":{"count":42,"internal_anchors":1,"resolved_work":42,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Anonymous. 2025. SkillScan: Dataset, Detection Tools, and Collection Pipeline for Agent Skills Security Research. https://anonymous.4open.science/r/skillscan/. Anonymous repository containing annotate","work_id":"6325409d-aa49-4f84-aaa1-27b7d63fce75","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Anthropic. 2024. Model Context Protocol Specification. https:// modelcontextprotocol.io/. Open protocol for AI-tool integration","work_id":"75ddad96-0212-4e49-83f1-2e4e002253c2","year":2024},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Anthropic. 2025. Agent Skills Open Standard Specification. https://agentskills.io. Open standard for portable agent skills, released October 2025","work_id":"cc40568c-9bd4-4e43-80c4-9eaec9d979f8","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Anthropic. 2025. Claude Code Documentation. https://docs.anthropic.com/en/ docs/claude-code. Official Claude Code documentation. Conference’17, July 2017, Washington, DC, USA Yi Liu, Weizhe Wang, Ruit","work_id":"11ade551-a08d-4bdd-98f9-714f770c0d4f","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Anthropic. 2025. Claude Code Skills Documentation. https://docs.anthropic.com/ en/docs/claude-code/skills. Official documentation for agent skills architecture","work_id":"ed09eb83-54f9-4163-88d5-486914f78550","year":2025}],"snapshot_sha256":"7b54477cf119c564a3e46dfdaeb56a44ec8372b8309382bb0bdcbd88384389a4"},"source":{"id":"2601.10338","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-14T23:36:14.576840Z","id":"27557d3c-833a-45bc-8341-50e432466ee4","model_set":{"reader":"grok-4.3"},"one_line_summary":"26.1% of analyzed AI agent skills contain vulnerabilities across 14 patterns, with executable scripts raising risk 2.12x, based on static and LLM analysis of 31k skills.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"More than one in four AI agent skills contain at least one security vulnerability.","strongest_claim":"26.1% of skills contain at least one vulnerability, spanning 14 distinct patterns across four categories: prompt injection, data exfiltration, privilege escalation, and supply chain risks. Data exfiltration (13.3%) and privilege escalation (11.8%) are most prevalent, while 5.2% of skills exhibit high-severity patterns strongly suggesting malicious intent.","weakest_assumption":"That SkillScan's static analysis plus LLM semantic classification accurately flags real vulnerabilities at the stated precision and recall without significant selection bias in the 31,132 analyzed skills or over-representation of risky marketplaces."}},"verdict_id":"27557d3c-833a-45bc-8341-50e432466ee4"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:5f4440fb098daa8ef9cb86446813daf96b5edb9593ff42535e194b22006830e6","target":"record","created_at":"2026-05-17T23:39:19Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"72e088c7de8189bb85e81c2f2d2abb4b8e2aa3c1c52d1382374942b0634228bc","cross_cats_sorted":["cs.AI","cs.CL","cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-01-15T12:31:52Z","title_canon_sha256":"d301125dc87ce9e878f906e51ee67ab41a85a90413fbe79e2ad235c703f55d4a"},"schema_version":"1.0","source":{"id":"2601.10338","kind":"arxiv","version":1}},"canonical_sha256":"0d7a86c80ac89c2e1c7675674cefae4e8e32bd4585ec730df12ea994b8af1ff5","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"0d7a86c80ac89c2e1c7675674cefae4e8e32bd4585ec730df12ea994b8af1ff5","first_computed_at":"2026-05-17T23:39:19.831777Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:19.831777Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"ifuL1thBPQSiUwfcSNo8RVZbrt7yHWfNPluJRTEtX3xSEdOFmh498yOC0I0TmfMMj63dTsnEZf2P6kkSRxfSCA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:19.832457Z","signed_message":"canonical_sha256_bytes"},"source_id":"2601.10338","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:5f4440fb098daa8ef9cb86446813daf96b5edb9593ff42535e194b22006830e6","sha256:7a1550f7668764a6aa33cecd0782607d5a2e0b5ee04f839ddffabe35146b05d2"],"state_sha256":"3a099cd844b6aa4526c5e85f71393b27354065504122a7a30c46daa7ba99dec4"}