{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:UV5HTIH5HEBJ4VCVLYWY3H5VL3","short_pith_number":"pith:UV5HTIH5","schema_version":"1.0","canonical_sha256":"a57a79a0fd39029e54555e2d8d9fb55ec9029d25ce0a8dae51914938b8135186","source":{"kind":"arxiv","id":"2604.03070","version":2},"attestation_state":"computed","paper":{"title":"How Your Credentials Are Leaked by LLM Agent Skills: An Empirical Study","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Third-party LLM agent skills leak credentials in over 500 cases through debug logs and prompt injections.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Gelei Deng, Jianting Ning, Lei Ma, Leo Yu Zhang, Yanjun Zhang, Yi Liu, Ying Zhang, Yuekang Li, Zhihao Chen, Zhiqiang Li","submitted_at":"2026-04-03T14:50:16Z","abstract_excerpt":"Large Language Model (LLM) agents increasingly rely on third-party skills that operate within privileged execution environments and routinely handle sensitive credentials, yet how these credentials are leaked remains largely unexplored. To fill this gap, we present the first large-scale empirical study on credential leakage in agent skills. From 170,226 artifacts on SkillsMP, the largest open-source skill marketplace, we sampled 17,022 skills via stratified random sampling and analyzed each through static secret extraction (regex and AST parsing), dynamic sandbox testing with mock credentials,"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2604.03070","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-04-03T14:50:16Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"b5aaf6af66734f05c159eb380164cfdafadd89b4799cd9d3b274152cf13fde8b","abstract_canon_sha256":"1570c4c70c1074c203f209fddda5c744f87a528a5514423c06321f7095504a67"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-06-23T01:12:04.269266Z","signature_b64":"2PzGnubgmiYLtrQf4o35dzmTynoAwXDSEQ+l4Y5OnKTqh/O4CKTIAm4xkFF+jT5W4AGjrZ3ilFbUf+TR4OqADA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"a57a79a0fd39029e54555e2d8d9fb55ec9029d25ce0a8dae51914938b8135186","last_reissued_at":"2026-06-23T01:12:04.268767Z","signature_status":"signed_v1","first_computed_at":"2026-06-23T01:12:04.268767Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"How Your Credentials Are Leaked by LLM Agent Skills: An Empirical Study","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Third-party LLM agent skills leak credentials in over 500 cases through debug logs and prompt injections.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Gelei Deng, Jianting Ning, Lei Ma, Leo Yu Zhang, Yanjun Zhang, Yi Liu, Ying Zhang, Yuekang Li, Zhihao Chen, Zhiqiang Li","submitted_at":"2026-04-03T14:50:16Z","abstract_excerpt":"Large Language Model (LLM) agents increasingly rely on third-party skills that operate within privileged execution environments and routinely handle sensitive credentials, yet how these credentials are leaked remains largely unexplored. To fill this gap, we present the first large-scale empirical study on credential leakage in agent skills. From 170,226 artifacts on SkillsMP, the largest open-source skill marketplace, we sampled 17,022 skills via stratified random sampling and analyzed each through static secret extraction (regex and AST parsing), dynamic sandbox testing with mock credentials,"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"We identify 520 vulnerable skills with 1,708 issues and derive a taxonomy of 10 leakage patterns (4 accidental and 6 adversarial).","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The 17,022 sampled skills from SkillsMP are representative of the broader population of 170k skills and that static analysis plus sandbox testing reliably detects all leakage patterns.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Analysis of 17k LLM agent skills reveals 520 vulnerable ones with 1,708 leakage issues, primarily from debug output exposure, with a 10-pattern taxonomy and released dataset for future detection.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Third-party LLM agent skills leak credentials in over 500 cases through debug logs and prompt injections.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"323558b0388be82d3140e1888cce15049593fd796a73b5d5c913db2eded3200c"},"source":{"id":"2604.03070","kind":"arxiv","version":2},"verdict":{"id":"ab8c0046-e833-4328-ab19-181306962f22","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-13T19:48:23.575436Z","strongest_claim":"We identify 520 vulnerable skills with 1,708 issues and derive a taxonomy of 10 leakage patterns (4 accidental and 6 adversarial).","one_line_summary":"Analysis of 17k LLM agent skills reveals 520 vulnerable ones with 1,708 leakage issues, primarily from debug output exposure, with a 10-pattern taxonomy and released dataset for future detection.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The 17,022 sampled skills from SkillsMP are representative of the broader population of 170k skills and that static analysis plus sandbox testing reliably detects all leakage patterns.","pith_extraction_headline":"Third-party LLM agent skills leak credentials in over 500 cases through debug logs and prompt injections."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2604.03070/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2604.03070","created_at":"2026-06-23T01:12:04.268836+00:00"},{"alias_kind":"arxiv_version","alias_value":"2604.03070v2","created_at":"2026-06-23T01:12:04.268836+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2604.03070","created_at":"2026-06-23T01:12:04.268836+00:00"},{"alias_kind":"pith_short_12","alias_value":"UV5HTIH5HEBJ","created_at":"2026-06-23T01:12:04.268836+00:00"},{"alias_kind":"pith_short_16","alias_value":"UV5HTIH5HEBJ4VCV","created_at":"2026-06-23T01:12:04.268836+00:00"},{"alias_kind":"pith_short_8","alias_value":"UV5HTIH5","created_at":"2026-06-23T01:12:04.268836+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":9,"internal_anchor_count":9,"sample":[{"citing_arxiv_id":"2607.01793","citing_title":"Safety Testing LLM Agents at Scale: From Risk Discovery to Evidence-Grounded Verification","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2607.02357","citing_title":"Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware","ref_index":10,"is_internal_anchor":true},{"citing_arxiv_id":"2607.00911","citing_title":"From Registry to Repository: How AI Agent Skills Are Written, Adapted, and Maintained","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2606.02302","citing_title":"SeClaw: Spec-Driven Security Task Synthesis for Evaluating Autonomous Agents","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2606.20631","citing_title":"Harnessing Agent Skills: Architectural Patterns and a Reference Architecture for Skill-Mediated LLM Agents","ref_index":76,"is_internal_anchor":true},{"citing_arxiv_id":"2606.00448","citing_title":"When Safe Skills Collide: Measuring Compositional Risk in Agent Skill Ecosystems","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13940","citing_title":"AgentTrap: Measuring Runtime Trust Failures in Third-Party Agent Skills","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2605.09594","citing_title":"Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2604.22888","citing_title":"RouteGuard: Internal-Signal Detection of Skill Poisoning in LLM Agents","ref_index":3,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3","json":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3.json","graph_json":"https://pith.science/api/pith-number/UV5HTIH5HEBJ4VCVLYWY3H5VL3/graph.json","events_json":"https://pith.science/api/pith-number/UV5HTIH5HEBJ4VCVLYWY3H5VL3/events.json","paper":"https://pith.science/paper/UV5HTIH5"},"agent_actions":{"view_html":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3","download_json":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3.json","view_paper":"https://pith.science/paper/UV5HTIH5","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2604.03070&json=true","fetch_graph":"https://pith.science/api/pith-number/UV5HTIH5HEBJ4VCVLYWY3H5VL3/graph.json","fetch_events":"https://pith.science/api/pith-number/UV5HTIH5HEBJ4VCVLYWY3H5VL3/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3/action/timestamp_anchor","attest_storage":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3/action/storage_attestation","attest_author":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3/action/author_attestation","sign_citation":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3/action/citation_signature","submit_replication":"https://pith.science/pith/UV5HTIH5HEBJ4VCVLYWY3H5VL3/action/replication_record"}},"created_at":"2026-06-23T01:12:04.268836+00:00","updated_at":"2026-06-23T01:12:04.268836+00:00"}