{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:K3E4H3J4BAQGCFTOR4TMUGZE3H","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee"},"schema_version":"1.0","source":{"id":"2605.13940","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"arxiv_version","alias_value":"2605.13940v1","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.13940","created_at":"2026-05-17T23:39:13Z"},{"alias_kind":"pith_short_12","alias_value":"K3E4H3J4BAQG","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"K3E4H3J4BAQGCFTO","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"K3E4H3J4","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749","target":"graph","created_at":"2026-05-17T23:39:13Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps."}],"snapshot_sha256":"e301ace7786e22db6b4bbfa20ea3ff43312d0700c1bb7921821e5fa970a58012"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Third-party skills are becoming the package ecosystem for LLM agents. They package natural-language instructions, helper scripts, templates, documents, and service configuration into reusable workflows. This makes skills useful, but it also introduces a new security problem: a malicious skill does not need to ask the model to perform an obviously harmful action. Instead, it can disguise the harmful behavior as part of a routine workflow, relying on the agent to execute that workflow with high-value permissions and limited human supervision.\n  We introduce AgentTrap, a dynamic benchmark for eva","authors_text":"Hanwen Xing, Haomin Zhuang, Xiangliang Zhang, Yili Shen, Yuchen Ma, Yue Huang, Yufei Han, Yujun Zhou","cross_cats":["cs.AI"],"headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills"},"references":{"count":13,"internal_anchors":8,"resolved_work":13,"sample":[{"cited_arxiv_id":"2410.09024","doi":"","is_internal_anchor":true,"ref_index":1,"title":"AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents","work_id":"788aad10-421f-48d7-886c-792665914606","year":null},{"cited_arxiv_id":"2604.03070","doi":"","is_internal_anchor":true,"ref_index":2,"title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","work_id":"8f85f345-642a-4ab7-910e-fc90bf0dee3c","year":null},{"cited_arxiv_id":"2406.13352","doi":"","is_internal_anchor":true,"ref_index":3,"title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","work_id":"7b1b672f-e6b4-4df9-aa8b-3396a2eb8b16","year":null},{"cited_arxiv_id":"2604.02837","doi":"","is_internal_anchor":true,"ref_index":4,"title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","work_id":"1f55fc6f-2f7e-49fd-bbf2-2584a93f2c95","year":null},{"cited_arxiv_id":"2309.15817","doi":"","is_internal_anchor":true,"ref_index":5,"title":"Identifying the Risks of LM Agents with an LM-Emulated Sandbox","work_id":"3d4c3b66-d749-4939-b1bc-62b10b2ebbb6","year":null}],"snapshot_sha256":"a7058e58b23dfd5ce82c8cc058f903ceb03476bda2b2ec97330adbe39e8eb617"},"source":{"id":"2605.13940","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T05:37:52.511851Z","id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016","model_set":{"reader":"grok-4.3"},"one_line_summary":"AgentTrap shows that current LLM agents typically complete user tasks while silently accepting unsafe side effects from malicious third-party skills rather than refusing them.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"LLM agents often finish the user's visible request while executing unsafe side effects from third-party skills as if they were normal workflow steps.","strongest_claim":"Models often complete the visible user task while treating unsafe side effects introduced by the skill as part of the normal workflow.","weakest_assumption":"That the 141 hand-crafted tasks and sandboxed execution environment faithfully represent the diversity and stealth of real-world malicious third-party skills without introducing evaluation artifacts."}},"verdict_id":"bb03548f-3209-4f4b-8ef5-15d01a8e5016"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122","target":"record","created_at":"2026-05-17T23:39:13Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"052f86cb119bd0f739111a24767ccec66e20007d73197810e54526f02bb15f69","cross_cats_sorted":["cs.AI"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-13T17:04:17Z","title_canon_sha256":"5377d80ac6b95d15395f667b4f3bc9fcd7ade0a9bf6f191a2dba0cc9858b33ee"},"schema_version":"1.0","source":{"id":"2605.13940","kind":"arxiv","version":1}},"canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"56c9c3ed3c082061166e8f26ca1b24d9e7302d7a13ccaf4f4a59d20496829aa0","first_computed_at":"2026-05-17T23:39:13.870101Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:13.870101Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"Jzr7D6ceGMTDsvIz3Nfbl0lPx5Nfm/SoIm39G+pBR2+t0/n1UGzQOubujMO3OqhRJfgnvb3Z1oFpEG7bL5z5Bw==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:13.871271Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.13940","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:2d422846f11381e020a5cbbfe7bd9f448e3d510f3211af683b3ff22d6040c122","sha256:2d0c4148469c74906a0e127e69aa63f08eb2dd52c7612f486c2c6afa7bf75749"],"state_sha256":"a296f940a68e14b387ece7ad5a76421de90265f147e495a548437ef3f69ab2f1"}