pith. machine review for the scientific record. sign in

arxiv: 2604.03070 · v1 · submitted 2026-04-03 · 💻 cs.CR · cs.AI

Recognition: no theorem link

Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study

Gelei Deng, Jianting Ning, Lei Ma, Leo Yu Zhang, Yanjun Zhang, Yi Liu, Ying Zhang, Yuekang Li, Zhihao Chen, Zhiqiang Li

Pith reviewed 2026-05-13 19:48 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords credential leakageLLM agentsthird-party skillsvulnerability analysisprompt injectiondebug loggingempirical studysecurity taxonomy
0
0 comments X

The pith

Third-party LLM agent skills leak credentials in over 500 cases through debug logs and prompt injections.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper conducts the first large-scale empirical study of credential leakage in third-party skills that extend LLM agents. By sampling and analyzing 17,022 skills from a platform containing 170,226 total entries, using static analysis, sandbox testing, and manual review, the work identifies 520 vulnerable skills containing 1,708 issues. These issues fall into a taxonomy of 10 leakage patterns, split between accidental and adversarial types. The results matter because the leaked credentials are frequently exploitable without extra privileges, remain available in skill forks, and arise mostly from everyday coding practices like debug logging that expose data to the LLM.

Core claim

The authors establish that 520 skills leak credentials, distributed across 10 patterns where debug logging via print and console.log causes 73.5 percent of cases, 76.3 percent of leaks require combined analysis of code and natural language, 3.1 percent arise purely from prompt injection, and 89.6 percent of leaked credentials are exploitable without privileges while persisting in forks even after upstream fixes.

What carries the argument

A taxonomy of 10 leakage patterns (4 accidental and 6 adversarial) derived from static analysis, sandbox testing, and manual inspection of skills.

If this is right

  • Debug logging statements cause 73.5 percent of leaks because their output reaches the LLM through stdout.
  • 76.3 percent of leaks are cross-modal and cannot be found without examining both code and natural language together.
  • 89.6 percent of leaked credentials can be used directly without any special privileges.
  • Credentials remain present in forks even after the original skill is updated or fixed.
  • Public disclosure resulted in removal of all malicious skills and fixes to 91.6 percent of hardcoded credential cases.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Skill platforms could integrate automated scanning for these 10 patterns before allowing public distribution.
  • Developers should receive explicit guidance to avoid any logging that writes credentials to outputs accessible by the LLM.
  • Persistence across forks indicates that public repositories for skills need stronger secret-masking practices.
  • Applying the same taxonomy to skills on other agent platforms would test whether the patterns are platform-specific.

Load-bearing premise

The sampled skills accurately represent the full population on the platform and the chosen detection methods reliably identify every leakage pattern present.

What would settle it

Repeating the full analysis on the unsampled skills or applying runtime execution monitoring to check whether additional leaks appear beyond those found by static and sandbox methods.

Figures

Figures reproduced from arXiv: 2604.03070 by Gelei Deng, Jianting Ning, Lei Ma, Leo Yu Zhang, Yanjun Zhang, Yi Liu, Ying Zhang, Yuekang Li, Zhihao Chen, Zhiqiang Li.

Figure 1
Figure 1. Figure 1: A real-world credential leakage case discovered in [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The Overview of the Methodology. The study proceeds through four phases: (1) dataset collection of 17,022 skills [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Distribution of Hardcoded Credential types. [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Exploitation Type Distribution Exploitation Lifecycle. We traced all 520 skills across the five lifecycle phases: install, load, configure, execute, and per￾sist [7]. 92.5% (481/520) become exploitable during the execute phase, when credentials are instantiated, sent to external APIs, and written to output streams. Once leaked, credentials persist beyond upstream fixes: of the 107 repositories that removed… view at source ↗
read the original abstract

Third-party skills extend LLM agents with powerful capabilities but often handle sensitive credentials in privileged environments, making leakage risks poorly understood. We present the first large-scale empirical study of this problem, analyzing 17,022 skills (sampled from 170,226 on SkillsMP) using static analysis, sandbox testing, and manual inspection. We identify 520 vulnerable skills with 1,708 issues and derive a taxonomy of 10 leakage patterns (4 accidental and 6 adversarial). We find that (1) leakage is fundamentally cross-modal: 76.3% require joint analysis of code and natural language, while 3.1% arise purely from prompt injection; (2) debug logging is the primary vector, with print and console.log causing 73.5% of leaks due to stdout exposure to LLMs; and (3) leaked credentials are both exploitable (89.6% without privileges) and persistent, as forks retain secrets even after upstream fixes. After disclosure, all malicious skills were removed and 91.6% of hardcoded credentials were fixed. We release our dataset, taxonomy, and detection pipeline to support future research.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents the first large-scale empirical study of credential leakage in third-party LLM agent skills, sampling 17,022 skills from the 170,226 available on SkillsMP. Using a combination of static analysis, sandbox testing, and manual inspection, the authors identify 520 vulnerable skills containing 1,708 issues and derive a taxonomy of 10 leakage patterns (4 accidental, 6 adversarial). Key findings include that 76.3% of leaks require joint code and natural-language analysis, 73.5% stem from debug logging (print/console.log exposing stdout to LLMs), 89.6% of leaked credentials are exploitable without privileges, and leaks persist in forks. After responsible disclosure, all malicious skills were removed and 91.6% of hardcoded credentials were fixed. The authors release the dataset, taxonomy, and detection pipeline.

Significance. If the empirical pipeline and counts hold, the work establishes a concrete baseline for credential-leakage prevalence in LLM agents and supplies a reusable taxonomy plus open artifacts that directly support follow-on detection research and platform policy. The cross-modal emphasis and persistence-in-forks observation are particularly actionable for agent runtime design.

major comments (2)
  1. [Methodology] Methodology section: the sampling procedure used to obtain the 17,022-skill subset from the full 170,226 is described only at the aggregate level; without explicit randomness, stratification, or exclusion criteria, it is impossible to evaluate whether the reported 520 vulnerable skills and 3.05% rate are representative or subject to selection bias.
  2. [Results and Taxonomy] Results and Taxonomy sections: the classification rules that map the 1,708 raw issues into the 10-pattern taxonomy (including the 76.3% cross-modal and 3.1% pure-prompt-injection splits) are not stated with sufficient operational detail; this leaves the boundary between accidental and adversarial categories open to post-hoc adjustment.
minor comments (2)
  1. [Abstract] Abstract: the statement that 'all malicious skills were removed' would be more informative if the absolute count of malicious skills were supplied alongside the 520 total vulnerable skills.
  2. [Figures and Tables] Figure and table captions: several summary tables listing per-pattern counts or exploitability percentages lack explicit column definitions or confidence intervals, reducing immediate interpretability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback and positive overall assessment. We address each major comment below and will revise the manuscript to provide greater operational detail on sampling and classification.

read point-by-point responses

  1. Referee: [Methodology] Methodology section: the sampling procedure used to obtain the 17,022-skill subset from the full 170,226 is described only at the aggregate level; without explicit randomness, stratification, or exclusion criteria, it is impossible to evaluate whether the reported 520 vulnerable skills and 3.05% rate are representative or subject to selection bias.

    Authors: We agree that the sampling description was insufficiently detailed. In the revised manuscript we will expand the Methodology section to state that the 17,022 skills were obtained by uniform random sampling from the full 170,226 skills on SkillsMP (using a fixed random seed for reproducibility), with exclusion criteria limited to skills that failed to parse due to encoding errors or exceeded a 100k-token size limit. No stratification was applied. We will also add the exact sampling parameters, a short discussion of representativeness, and a note on why random sampling was chosen over stratified approaches. revision: yes

  2. Referee: [Results and Taxonomy] Results and Taxonomy sections: the classification rules that map the 1,708 raw issues into the 10-pattern taxonomy (including the 76.3% cross-modal and 3.1% pure-prompt-injection splits) are not stated with sufficient operational detail; this leaves the boundary between accidental and adversarial categories open to post-hoc adjustment.

    Authors: We accept that the classification rules lacked sufficient operational specificity. In the revision we will insert a dedicated subsection in the Taxonomy section that defines the decision criteria explicitly: an issue is labeled cross-modal if it requires joint inspection of code and natural-language prompts; it is accidental if the leakage stems from standard debugging constructs (e.g., print/console.log) without any exfiltration-oriented prompt engineering; it is adversarial if the skill contains deliberate patterns such as prompt-injection templates or hidden exfiltration instructions. We will report inter-annotator agreement (Cohen’s kappa), provide a decision flowchart, and include one canonical example per pattern to make the mapping reproducible and the accidental/adversarial boundary unambiguous. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

This is a purely empirical measurement study. The authors sample 17,022 skills from SkillsMP, apply static analysis plus sandbox testing plus manual review, count 520 vulnerable skills and 1,708 issues, and induce a 10-pattern taxonomy directly from the observed cases. No equations, fitted parameters, derivations, or self-referential definitions appear. The taxonomy is an inductive classification of detected patterns rather than a renaming or self-definition of the input data. No load-bearing self-citations or uniqueness theorems are invoked. The pipeline is externally falsifiable against the released dataset and detection code.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Empirical security measurement study with no free parameters, no invented entities, and only standard assumptions of static analysis soundness and representative sampling.

axioms (1)
  • domain assumption Static analysis combined with sandbox execution can detect credential leakage patterns in skill code and prompts.
    Invoked in the description of the analysis pipeline.

pith-pipeline@v0.9.0 · 5527 in / 1071 out tokens · 29196 ms · 2026-05-13T19:48:23.575436+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills

    cs.CR 2026-05 unverdicted novelty 7.0

    Malicious Skills induce coding agents to hallucinate and import attacker-controlled packages at high rates while evading detection.

  2. RouteGuard: Internal-Signal Detection of Skill Poisoning in LLM Agents

    cs.CR 2026-04 unverdicted novelty 6.0

    RouteGuard uses response-conditioned attention and hidden-state alignment to detect skill poisoning in LLM agents, achieving 0.8834 F1 on Skill-Inject benchmarks and recovering 90.51% of attacks missed by lexical screening.

Reference graph

Works this paper leans on

66 extracted references · 66 canonical work pages · cited by 2 Pith papers · 5 internal anchors

  1. [1]

    Sahar Abdelnabi, Kai Greshake, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. InPro- ceedings of the 16th ACM Workshop on Artificial Intelligence and Security, AISec 2023, Copenhagen, Denmark, 30 November 2023, Maura...

    work page doi:10.1145/3605764.3623985 2023

  2. [2]

    Anonymous. 2026. Agent Skill Privacy Study: Replication Package. https://sites. google.com/view/agent-skills-privacy

    work page 2026

  3. [3]

    Anthropic. 2024. Model Context Protocol Specification. https: //modelcontextprotocol.io/

    work page 2024

  4. [4]

    Anthropic. 2025. Claude Code Skills Documentation. https://docs.anthropic. com/en/docs/claude-code/skills

    work page 2025

  5. [5]

    belindamo. 2026. bybit-trading. https://github.com/sundial-org/awesome- openclaw-skills/tree/main/skills/bybit-trading

    work page 2026

  6. [6]

    belindamo. 2026. twitter-openclaw-2. https://github.com/sundial-org/ awesome-openclaw-skills/tree/main/skills/twitter-openclaw-2

    work page 2026

  7. [7]

    Varun Pratap Bhardwaj. 2026. Formal Analysis and Supply Chain Security for Agentic AI Skills. doi:10.5281/zenodo.18787663

    work page doi:10.5281/zenodo.18787663 2026

  8. [8]

    Max Brunsfeld. 2024. Tree-sitter: An incremental parsing system for program- ming tools. https://tree-sitter.github.io/tree-sitter/

    work page 2024

  9. [9]

    Carmine Cesarano, Vivi Andersson, Roberto Natella, and Martin Monper- rus. 2024. GoSurf: Identifying Software Supply Chain Attack Vectors in Go. arXiv:2407.04442 [cs.CR] https://arxiv.org/abs/2407.04442

    work page arXiv 2024

  10. [10]

    Zhiyuan Chen. 2024. A Comprehensive Study of Privacy Leakage Vulnerability in Android App Logs. InProceedings of the 39th IEEE/ACM International Confer- ence on Automated Software Engineering, ASE 2024, Sacramento, CA, USA, Octo- ber 27 - November 1, 2024, Vladimir Filkov, Baishakhi Ray, and Minghui Zhou (Eds.). ACM, 2510–2513. doi:10.1145/3691620.3695609

    work page doi:10.1145/3691620.3695609 2024

  11. [11]

    clawhub. 2026. SECURITY: Malicious skill distributes malware via base64- encoded payload (Issue #124). https://github.com/openclaw/clawhub/issues/ 124

    work page 2026

  12. [12]

    William G. Cochran. 1977.Sampling Techniques(3rd ed.). John Wiley & Sons

    work page 1977

  13. [13]

    Edoardo Debenedetti, Jie Zhang, Mislav Balunovic, Luca Beurer-Kellner, Marc Fischer, and Florian Tramèr. 2024. AgentDojo: A Dynamic Environment to Eval- uate Prompt Injection Attacks and Defenses for LLM Agents. InAdvances in Neural Information Processing Systems (NeurIPS)

    work page 2024

  14. [14]

    Xinhao Deng, Yixiang Zhang, Jiaqing Wu, Jiaqi Bai, Sibo Yi, Zhuoheng Zou, Yue Xiao, Rennai Qiu, Jianan Ma, Jialuo Chen, Xiaohu Du, Xiaofang Yang, Shi- wen Cui, Changhua Meng, Weiqiang Wang, Jiaxing Song, Ke Xu, and Qi Li

    work page

  15. [15]

    arXiv:2603.11619 [cs.CR]

    Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats. arXiv:2603.11619 [cs.CR]

    work page arXiv

  16. [16]

    Dimillian. 2026. macos-spm-app-packaging. https://github.com/Dimillian/ Skills/tree/main/macos-spm-app-packaging

    work page 2026

  17. [17]

    Runhan Feng, Ziyang Yan, Shiyan Peng, and Yuanyuan Zhang. 2022. Automated Detection of Password Leakage from Public GitHub Repositories. InProceed- ings of the 44th International Conference on Software Engineering. ACM, 175–186. doi:10.1145/3510003.3510150

    work page doi:10.1145/3510003.3510150 2022

  18. [18]

    Gupta, Taylor Berg- Kirkpatrick, and Earlence Fernandes

    Xiaohan Fu, Shuheng Li, Zihan Wang, Yihao Liu, Rajesh K. Gupta, Taylor Berg- Kirkpatrick, and Earlence Fernandes. 2024. Imprompter: Tricking LLM Agents into Improper Tool Use.CoRRabs/2410.14923 (2024). arXiv:2410.14923 doi:10. 48550/ARXIV.2410.14923

    work page arXiv 2024

  19. [19]

    Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu

    work page

  20. [20]

    InProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE ’23)

    An Empirical Study of Malicious Code In PyPI Ecosystem. InProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE ’23). IEEE, 1324–1335. doi:10.1109/ASE56229.2023.00135

    work page doi:10.1109/ase56229.2023.00135 2023

  21. [21]

    Norman Hardy. 1988. The Confused Deputy (or why capabilities might have been invented).ACM SIGOPS Oper. Syst. Rev.22, 4 (1988), 36–38. doi:10.1145/ 54289.871709

    work page arXiv 1988

  22. [22]

    Yu He, Haozhe Zhu, Yiming Li, Shuo Shao, Hongwei Yao, Zhihao Liu, and Zhan Qin. 2026. AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations. arXiv:2603.10749

    work page arXiv 2026

  23. [23]

    Xinyi Hou, Yanjie Zhao, Shenao Wang, and Haoyu Wang. 2025. Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. arXiv:2503.23278 [cs.CR]

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  24. [24]

    Yuepeng Hu, Yuqi Jia, Mengyuan Li, Dawn Song, and Neil Gong. 2026. MalTool: Malicious Tool Attacks on LLM Agents. arXiv:2602.12194 [cs.CR] https://arxiv. org/abs/2602.12194

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  25. [25]

    Xiaochong Jiang, Shiqi Yang, Wenting Yang, Yichen Liu, and Cheng Ji. 2026. Agentic AI as a Cybersecurity Attack Surface: Threats, Exploits, and Defenses in Runtime Supply Chains. doi:10.48550/arXiv.2602.19555

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2602.19555 2026

  26. [26]

    2025.What is Credential Leakage? Definition, Risks & Prevention

    JumpCloud. 2025.What is Credential Leakage? Definition, Risks & Prevention. https://jumpcloud.com/it-index/what-is-credential-leakage

    work page 2025

  27. [27]

    Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl

    Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl. 2023. Pushed by Accident: A Mixed-Methods Study on Strategies of Handling Secret Information in Source Code Repositories. In32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, Joseph A. Calandrino and Carmela Troncoso (Ed...

    work page 2023

  28. [28]

    Wenzhi Li, Jialong Guo, Jiongyi Chen, Fan Li, Yujie Xing, Yanbo Xu, Shishuai Yang, and Wenrui Diao. 2025. FirmProj: Detecting Firmware Leakage in IoT Update Processes via Companion App Analysis. In40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025, Seoul, Korea, Republic of, November 16-20, 2025. IEEE, 2058–2070. doi:10.110...

    work page doi:10.1109/ase63991.2025.00171 2025

  29. [29]

    Yuxi Ling, Kailong Wang, Guangdong Bai, Haoyu Wang, and Jin Song Dong

    work page

  30. [30]

    In37th IEEE/ACM International Conference on Au- tomated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022

    Are they Toeing the Line? Diagnosing Privacy Compliance Violations Zhihao Chen, Ying Zhang, Yi Liu, Gelei Deng, Yuekang Li, Yanjun Zhang, Jianting Ning, Leo Zhang, Lei Ma, and Zhiqiang Li among Browser Extensions. In37th IEEE/ACM International Conference on Au- tomated Software Engineering, ASE 2022, Rochester, MI, USA, October 10-14, 2022. ACM, 10:1–10:1...

    work page doi:10.1145/3551349.3560436 2022

  31. [31]

    Yi Liu, Zhihao Chen, Yanjun Zhang, Gelei Deng, Yuekang Li, Jianting Ning, and Leo Yu Zhang. 2026. Malicious Agent Skills in the Wild: A Large-Scale Security Empirical Study. doi:10.48550/arXiv.2602.06547

    work page doi:10.48550/arxiv.2602.06547 2026

  32. [32]

    Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. 2024. Formalizing and Benchmarking Prompt Injection Attacks and Defenses. InPro- ceedings of the 33rd USENIX Security Symposium. USENIX Association, 1831– 1847

    work page 2024

  33. [33]

    Yi Liu, Weizhe Wang, Ruitao Feng, Yao Zhang, Guangquan Xu, Gelei Deng, Yuekang Li, and Leo Zhang. 2026. Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale. arXiv:2601.10338 [cs.CR] https: //arxiv.org/abs/2601.10338

    work page arXiv 2026

  34. [34]

    Narek Maloyan and Dmitry Namiot. 2026. Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems. arXiv:2601.17548 [cs.CR] https://arxiv.org/abs/2601.17548

    work page arXiv 2026

  35. [35]

    Luoxi Meng, Henry Feng, Ilia Shumailov, and Earlence Fernandes. 2025. ceLLMate: Sandboxing Browser AI Agents.CoRRabs/2512.12594 (2025). arXiv:2512.12594 doi:10.48550/ARXIV.2512.12594

    work page doi:10.48550/arxiv.2512.12594 2025

  36. [36]

    Shi Meng, Liu Wang, Shenao Wang, Kailong Wang, Xusheng Xiao, Guangdong Bai, and Haoyu Wang. 2023. Wemint:Tainting Sensitive Data Leaks in WeChat Mini-Programs. In2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, Luxembourg, Luxembourg, 1403–1415. doi:10. 1109/ASE56229.2023.00151

    work page arXiv 2023

  37. [37]

    Miller, Ka-Ping Yee, and Jonathan Shapiro

    Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro. 2006. Capability Myths De- molished.Technical Report SRL2003-02(2006)

    work page 2006

  38. [38]

    MITRE. 2025. CWE-200: Exposure of Sensitive Information. CWE Version 4.19.1, https://cwe.mitre.org/data/definitions/200.html

    work page 2025

  39. [39]

    MITRE. 2025. CWE-798: Use of Hard-coded Credentials. CWE Version 4.19.1, https://cwe.mitre.org/data/definitions/798.html

    work page 2025

  40. [40]

    mitsuhiko. 2026. google-workspace: Agent Skill for Google Workspace In- tegration. https://github.com/mitsuhiko/agent-stuff/tree/main/skills/google- workspace

    work page 2026

  41. [41]

    Yutao Mou, Zhangchi Xue, Lijun Li, Peiyang Liu, Shikun Zhang, Wei Ye, and Jing Shao. 2026. ToolSafe: Enhancing Tool Invocation Safety of LLM-based Agents via Proactive Step-level Guardrail and Feedback. arXiv:2601.10156 [cs.CL]

    work page arXiv 2026

  42. [42]

    Schorlemmer, Santiago Torres-Arias, and James C

    Chinenye Okafor, Taylor R. Schorlemmer, Santiago Torres-Arias, and James C. Davis. 2024. SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties. arXiv:2406.10109 [cs.CR] https://arxiv.org/abs/2406. 10109

    work page arXiv 2024

  43. [43]

    OpenAI. 2024. Function Calling Documentation. https://platform.openai.com/ docs/guides/function-calling

    work page 2024

  44. [44]

    OpenAI. 2025. Codex CLI Skills Documentation. https://developers.openai.com/ codex/skills/

    work page 2025

  45. [45]

    openclaw. 2026. ClawHub, the skill dock for sharp agents. https://clawhub.ai/

    work page 2026

  46. [46]

    OWASP GenAI Security Project. 2025. OWASP Top 10 for Agentic Applications. https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications- the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/

    work page 2025

  47. [47]

    Brandon Radosevich and John Halloran. 2025. MCP Safety Audit: LLMs with the Model Context Protocol Allow Major Security Exploits. arXiv:2504.03767 [cs.CR] https://arxiv.org/abs/2504.03767

    work page arXiv 2025

  48. [48]

    Frank Reyes, Federico Bono, Aman Sharma, Benoit Baudry, and Martin Monper- rus. 2024. Maven-Hijack: Software Supply Chain Attack Exploiting Packaging Order. arXiv:2407.18760 [cs.CR] https://arxiv.org/abs/2407.18760

    work page arXiv 2024

  49. [49]

    David Schmotz, Sahar Abdelnabi, and Maksym Andriushchenko. 2025. Agent Skills Enable a New Class of Realistic and Trivially Simple Prompt Injections. arXiv:2510.26328 [cs.CR]

    work page arXiv 2025

  50. [50]

    Natalie Shapira, Chris Wendler, Avery Yen, Gabriele Sarti, Koyena Pal, Olivia Floody, Adam Belfki, Alex Loftus, Aditya Ratan Jannali, Nikhil Prakash, Jas- mine Cui, Giordano Rogers, Jannik Brinkmann, Can Rager, Amir Zur, Michael Ripa, Aruna Sankaranarayanan, David Atkinson, Rohit Gandikota, Jaden Fiotto- Kaufman, EunJeong Hwang, Hadas Orgad, P Sam Sahil, ...

    work page arXiv 2026

  51. [51]

    Zhuoxiang Shen, Jiarun Dai, Yuan Zhang, and Min Yang. 2025. Security Debt in LLM Agent Applications: A Measurement Study of Vulnerabilities and Miti- gation Trade-offs. InProceedings of the 40th IEEE/ACM International Conference on Automated Software Engineering. IEEE, 559–570. doi:10.1109/ASE63991.2025. 00053

    work page doi:10.1109/ase63991.2025 2025

  52. [52]

    Jiawen Shi, Zenghui Yuan, Guiyao Tie, Pan Zhou, Neil Zhenqiang Gong, and Lichao Sun. 2025. Prompt Injection Attack to Tool Selection in LLM Agents. doi:10.48550/arXiv.2504.19793

    work page doi:10.48550/arxiv.2504.19793 2025

  53. [53]

    Tianneng Shi, Jingxuan He, Zhun Wang, Linyu Wu, Hongwei Li, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable Privilege Control for LLM Agents.CoRRabs/2504.11703 (2025). arXiv:2504.11703 doi:10.48550/ARXIV. 2504.11703

    work page internal anchor Pith review doi:10.48550/arxiv 2025

  54. [54]

    Yizhe Shi, Zhemin Yang, Kangwei Zhong, Guangliang Yang, Yifan Yang, Xiao- han Zhang, and Min Yang. 2025. The Skeleton Keys: A Large Scale Analy- sis of Credential Leakage in Mini-apps. InProceedings 2025 Network and Dis- tributed System Security Symposium. Internet Society, San Diego, CA, USA. doi:10.14722/ndss.2025.230273

    work page doi:10.14722/ndss.2025.230273 2025

  55. [55]

    SkillsMP. 2025. SkillsMP: Agent Skills Marketplace. https://skillsmp.com

    work page 2025

  56. [56]

    1998.Basics of Qualitative Research: Tech- niques and Procedures for Developing Grounded Theory(2nd ed.)

    Anselm Strauss and Juliet Corbin. 1998.Basics of Qualitative Research: Tech- niques and Procedures for Developing Grounded Theory(2nd ed.). Sage Publica- tions, Thousand Oaks, CA

    work page 1998

  57. [57]

    Agentspec: Customizable runtime enforcement for safe and reliable llm agents

    Haoyu Wang, Christopher M. Poskitt, and Jun Sun. 2025. AgentSpec: Customiz- able Runtime Enforcement for Safe and Reliable LLM Agents. doi:10.48550/ arXiv.2503.18666

    work page arXiv 2025

  58. [58]

    Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal

    work page

  59. [59]

    In32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025

    IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems. In32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025. The Internet So- ciety. https://www.ndss-symposium.org/ndss-paper/isolategpt-an-execution- isolation-architecture-for-llm-based-agentic-systems/

    work page 2025

  60. [60]

    Chenxiao Xia, Jiazheng Sun, Jun Zheng, Yu-an Tan, and Hongyi Su. 2025. Mock- ingbird: Efficient Excessive Data Exposures Detection via Dynamic Code Instru- mentation. In2025 40th IEEE/ACM International Conference on Automated Soft- ware Engineering (ASE). IEEE, Seoul, Korea, Republic of, 3009–3020. doi:10.1109/ ASE63991.2025.00247

    work page arXiv 2025

  61. [61]

    YPYT1. 2026. weather-data-fetcher. https://github.com/YPYT1/All-skills/tree/ main/skills/openclaw-skills/noypearl/get-weather

    work page 2026

  62. [62]

    Williams

    Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Shekhar Maddila, and Laurie A. Williams. 2022. What are Weak Links in the npm Supply Chain?. In44th IEEE/ACM International Conference on Soft- ware Engineering: Software Engineering in Practice, ICSE (SEIP) 2022, Pittsburgh, PA, USA, May 22-24, 2022. IEEE, 331–340. doi:10.1109/ICS...

    work page doi:10.1109/icse-seip55303.2022 2022

  63. [63]

    Qiusi Zhan, Zhixiang Liang, Zifan Ying, and Daniel Kang. 2024. InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents. arXiv:2403.02691 [cs.CL] https://arxiv.org/abs/2403.02691

    work page internal anchor Pith review arXiv 2024

  64. [64]

    Dongsen Zhang, Zekun Li, Xu Luo, Xuannan Liu, Peipei Li, and Wenjun Xu

    work page

  65. [65]

    arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/ 2510.15994

    MCP Security Bench (MSB): Benchmarking Attacks Against Model Con- text Protocol in LLM Agents. arXiv:2510.15994 [cs.CR] https://arxiv.org/abs/ 2510.15994

    work page arXiv

  66. [66]

    Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. InProceedings of the 28th USENIX Security Symposium. USENIX Association, 995–1010

    work page 2019