{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","short_pith_number":"pith:K3E4H3J4","schema_version":"1.0","canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","source":{"kind":"arxiv","id":"2605.13940","version":1},"attestation_state":"computed","paper":{"title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","submitted_at":"2026-05-13T17:04:17Z","abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":false},"canonical_record":{"source":{"id":"2605.13940","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee","abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:13.871271Z","signature_b64":"Jzr7D6ceGMTDsvIz3Nfbl0lPx5Nfm/SoIm39G+pBR2+t0/n1UGzQOubujMO3OqhRJfgnvb3Z1oFpEG7bL5z5Bw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","last_reissued_at":"2026-05-17T23:39:13.870101Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:13.870101Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","submitted_at":"2026-05-13T17:04:17Z","abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e301ace7786e22db6b4bbfa20ea3ff43312d0700c1bb7921821e5fa970a58012"},"source":{"id":"2605.13940","kind":"arxiv","version":1},"verdict":{"id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T05:37:52.511851Z","strongest_claim":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","one_line_summary":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","pith_extraction_headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps."},"references":{"count":13,"sample":[{"doi":"","year":null,"title":"AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents","work_id":"788aad10-421f-48d7-886c-792665914606","ref_index":1,"cited_arxiv_id":"2410.09024","is_internal_anchor":true},{"doi":"","year":null,"title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","work_id":"8f85f345-642a-4ab7-910e-fc90bf0dee3c","ref_index":2,"cited_arxiv_id":"2604.03070","is_internal_anchor":true},{"doi":"","year":null,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":3,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"","year":null,"title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","work_id":"1f55fc6f-2f7e-49fd-bbf2-2584a93f2c95","ref_index":4,"cited_arxiv_id":"2604.02837","is_internal_anchor":true},{"doi":"","year":null,"title":"Identifying the Risks of LM Agents with an LM-Emulated Sandbox","work_id":"3d4c3b66-d749-4939-b1bc-62b10b2ebbb6","ref_index":5,"cited_arxiv_id":"2309.15817","is_internal_anchor":true}],"resolved_work":13,"snapshot_sha256":"a7058e58b23dfd5ce82c8cc058f903ceb03476bda2b2ec97330adbe39e8eb617","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.13940","created_at":"2026-05-17T23:39:13.870291+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.13940v1","created_at":"2026-05-17T23:39:13.870291+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13940","created_at":"2026-05-17T23:39:13.870291+00:00"},{"alias_kind":"pith_short_12","alias_value":"K3E4H3J4BAQG","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"K3E4H3J4BAQGCFTO","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"K3E4H3J4","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H","json":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H.json","graph_json":"https://pith.science/api/pith-number/K3E4H3J4BAQGCFTOR4TMUGZE3H/graph.json","events_json":"https://pith.science/api/pith-number/K3E4H3J4BAQGCFTOR4TMUGZE3H/events.json","paper":"https://pith.science/paper/K3E4H3J4"},"agent_actions":{"view_html":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H","download_json":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H.json","view_paper":"https://pith.science/paper/K3E4H3J4","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.13940&json=true","fetch_graph":"https://pith.science/api/pith-number/K3E4H3J4BAQGCFTOR4TMUGZE3H/graph.json","fetch_events":"https://pith.science/api/pith-number/K3E4H3J4BAQGCFTOR4TMUGZE3H/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/action/timestamp_anchor","attest_storage":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/action/storage_attestation","attest_author":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/action/author_attestation","sign_citation":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/action/citation_signature","submit_replication":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/action/replication_record"}},"created_at":"2026-05-17T23:39:13.870291+00:00","updated_at":"2026-05-17T23:39:13.870291+00:00"}