{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","short_pith_number":"pith:K3E4H3J4","canonical_record":{"source":{"id":"2605.13940","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee","abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69"},"schema_version":"1.0"},"canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","source":{"kind":"arxiv","id":"2605.13940","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13940v1","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"pith_short_12","alias_value":"K3E4H3J4BAQG","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"K3E4H3J4BAQGCFTO","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"K3E4H3J4","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","target":"record","payload":{"canonical_record":{"source":{"id":"2605.13940","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee","abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69"},"schema_version":"1.0"},"canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:39:13.871271Z","signature_b64":"Jzr7D6ceGMTDsvIz3Nfbl0lPx5Nfm/SoIm39G+pBR2+t0/n1UGzQOubujMO3OqhRJfgnvb3Z1oFpEG7bL5z5Bw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","last_reissued_at":"2026-05-17T23:39:13.870101Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:39:13.870101Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.13940","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:13Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"4RZctqaN/3q+Wg3KI7uZSgcNHcmI8pKVczQGm5C8y7AT0J+2247Ig3JuzU+Yqj+88ValhB3/2U6U1D1Xt7rUAQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-03T16:36:41.969088Z"},"content_sha256":"2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122","schema_version":"1.0","event_id":"sha256:2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","submitted_at":"2026-05-13T17:04:17Z","abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e301ace7786e22db6b4bbfa20ea3ff43312d0700c1bb7921821e5fa970a58012"},"source":{"id":"2605.13940","kind":"arxiv","version":1},"verdict":{"id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T05:37:52.511851Z","strongest_claim":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","one_line_summary":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts.","pith_extraction_headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps."},"references":{"count":13,"sample":[{"doi":"","year":null,"title":"AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents","work_id":"788aad10-421f-48d7-886c-792665914606","ref_index":1,"cited_arxiv_id":"2410.09024","is_internal_anchor":true},{"doi":"","year":null,"title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","work_id":"8f85f345-642a-4ab7-910e-fc90bf0dee3c","ref_index":2,"cited_arxiv_id":"2604.03070","is_internal_anchor":true},{"doi":"","year":null,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","ref_index":3,"cited_arxiv_id":"2406.13352","is_internal_anchor":true},{"doi":"","year":null,"title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","work_id":"1f55fc6f-2f7e-49fd-bbf2-2584a93f2c95","ref_index":4,"cited_arxiv_id":"2604.02837","is_internal_anchor":true},{"doi":"","year":null,"title":"Identifying the Risks of LM Agents with an LM-Emulated Sandbox","work_id":"3d4c3b66-d749-4939-b1bc-62b10b2ebbb6","ref_index":5,"cited_arxiv_id":"2309.15817","is_internal_anchor":true}],"resolved_work":13,"snapshot_sha256":"a7058e58b23dfd5ce82c8cc058f903ceb03476bda2b2ec97330adbe39e8eb617","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:39:13Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"f8VUre2p7Mg8SSQP4rfA2SmWsXLQLQG5Ecoh9aXW2ImZe5ZqILqTiuqyuSYmajIBBaT7sn7jMPxQQeOX1y0xAw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-03T16:36:41.969640Z"},"content_sha256":"2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749","schema_version":"1.0","event_id":"sha256:2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/bundle.json","state_url":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-03T16:36:41Z","links":{"resolver":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H","bundle":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/bundle.json","state":"https://pith.science/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/state.json","well_known_bundle":"https://pith.science/.well-known/pith/K3E4H3J4BAQGCFTOR4TMUGZE3H/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee"},"schema_version":"1.0","source":{"id":"2605.13940","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13940v1","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"pith_short_12","alias_value":"K3E4H3J4BAQG","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"K3E4H3J4BAQGCFTO","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"K3E4H3J4","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749","target":"graph","created_at":"2026-05-17T23:39:13Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps."}],"snapshot_sha256":"e301ace7786e22db6b4bbfa20ea3ff43312d0700c1bb7921821e5fa970a58012"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","cross_cats":["cs.AI"],"headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills"},"references":{"count":13,"internal_anchors":8,"resolved_work":13,"sample":[{"cited_arxiv_id":"2410.09024","doi":"","is_internal_anchor":true,"ref_index":1,"title":"AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents","work_id":"788aad10-421f-48d7-886c-792665914606","year":null},{"cited_arxiv_id":"2604.03070","doi":"","is_internal_anchor":true,"ref_index":2,"title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","work_id":"8f85f345-642a-4ab7-910e-fc90bf0dee3c","year":null},{"cited_arxiv_id":"2406.13352","doi":"","is_internal_anchor":true,"ref_index":3,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","year":null},{"cited_arxiv_id":"2604.02837","doi":"","is_internal_anchor":true,"ref_index":4,"title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","work_id":"1f55fc6f-2f7e-49fd-bbf2-2584a93f2c95","year":null},{"cited_arxiv_id":"2309.15817","doi":"","is_internal_anchor":true,"ref_index":5,"title":"Identifying the Risks of LM Agents with an LM-Emulated Sandbox","work_id":"3d4c3b66-d749-4939-b1bc-62b10b2ebbb6","year":null}],"snapshot_sha256":"a7058e58b23dfd5ce82c8cc058f903ceb03476bda2b2ec97330adbe39e8eb617"},"source":{"id":"2605.13940","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T05:37:52.511851Z","id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016","model_set":{"reader":"grok-4.3"},"one_line_summary":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","strongest_claim":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","weakest_assumption":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts."}},"verdict_id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122","target":"record","created_at":"2026-05-17T23:39:13Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee"},"schema_version":"1.0","source":{"id":"2605.13940","kind":"arxiv","version":1}},"canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","first_computed_at":"2026-05-17T23:39:13.870101Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:13.870101Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"Jzr7D6ceGMTDsvIz3Nfbl0lPx5Nfm/SoIm39G+pBR2+t0/n1UGzQOubujMO3OqhRJfgnvb3Z1oFpEG7bL5z5Bw==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:13.871271Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13940","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122","sha256:2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749"],"state_sha256":"a296f940a68e14b387ece7ad5a76421de90265f147e495a548437ef3f69ab2f1"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"RCP92nPTNJE1z9S/wXgYfH3k5LDGD7jBIHkto8fOq0Agg6YI+F6/1jac3XyzZpzAZynsnEdew+bEyVmqTSQIBA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-03T16:36:41.972292Z","bundle_sha256":"12dbc05589d986e8e67b7a95fd41d565998282906a0b3f74b492240017200287"}}