{"id":"https://openalex.org/W7154068740","doi":"https://doi.org/10.48550/arxiv.2604.09378","title":"BadSkill: Backdoor Attacks on Agent Skills via Model-in-Skill Poisoning","display_name":"BadSkill: Backdoor Attacks on Agent Skills via Model-in-Skill Poisoning","publication_year":2026,"publication_date":"2026-04-10","ids":{"openalex":"https://openalex.org/W7154068740","doi":"https://doi.org/10.48550/arxiv.2604.09378"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.09378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.09378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.09378","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5133499043","display_name":"Guiyao Tie","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Tie, Guiyao","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133517807","display_name":"Jiawen Shi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shi, Jiawen","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133520368","display_name":"Pan Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhou, Pan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5133505843","display_name":"Lichao Sun","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sun, Lichao","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5133499043"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.3174000084400177,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.3174000084400177,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.1096000000834465,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11948","display_name":"Machine Learning in Materials Science","score":0.0746999979019165,"subfield":{"id":"https://openalex.org/subfields/2505","display_name":"Materials Chemistry"},"field":{"id":"https://openalex.org/fields/25","display_name":"Materials Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.909500002861023},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.44130000472068787},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.429500013589859},{"id":"https://openalex.org/keywords/satisfiability-modulo-theories","display_name":"Satisfiability modulo theories","score":0.4050999879837036},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.3736000061035156},{"id":"https://openalex.org/keywords/evasion","display_name":"Evasion (ethics)","score":0.33009999990463257},{"id":"https://openalex.org/keywords/attack-model","display_name":"Attack model","score":0.32989999651908875}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.909500002861023},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6310999989509583},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5097000002861023},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.44130000472068787},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.429500013589859},{"id":"https://openalex.org/C164155591","wikidata":"https://www.wikidata.org/wiki/Q2067766","display_name":"Satisfiability modulo theories","level":2,"score":0.4050999879837036},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.39149999618530273},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.37459999322891235},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.3736000061035156},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.36239999532699585},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.33009999990463257},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.32989999651908875},{"id":"https://openalex.org/C134066672","wikidata":"https://www.wikidata.org/wiki/Q1424639","display_name":"Payload (computing)","level":3,"score":0.32109999656677246},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.3043000102043152},{"id":"https://openalex.org/C149810388","wikidata":"https://www.wikidata.org/wiki/Q5374873","display_name":"Emulation","level":2,"score":0.2761000096797943},{"id":"https://openalex.org/C97256817","wikidata":"https://www.wikidata.org/wiki/Q1462316","display_name":"Spurious relationship","level":2,"score":0.2732999920845032},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2680000066757202},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.266400009393692},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.2574999928474426},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.2506999969482422}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.09378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.09378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.09378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.09378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Quality Education","id":"https://metadata.un.org/sdg/4","score":0.5313522815704346}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Agent":[0],"ecosystems":[1,241],"increasingly":[2],"rely":[3],"on":[4,194,200],"installable":[5],"skills":[6,12,188,232],"to":[7,80,177],"extend":[8],"functionality,":[9],"and":[10,114,117,130,146,161,222,242,247],"some":[11],"bundle":[13],"learned":[14],"model":[15,77,172,220,236],"artifacts":[16],"as":[17,233],"part":[18],"of":[19,157],"their":[20],"execution":[21,131],"logic.":[22],"This":[23],"creates":[24],"a":[25,39,56,71,82,105,152,205,234],"supply-chain":[26,237],"risk":[27,238],"that":[28,60,108,125],"is":[29,78],"not":[30],"captured":[31],"by":[32],"prompt":[33],"injection":[34],"or":[35],"ordinary":[36],"plugin":[37],"misuse:":[38],"third-party":[40,127,251],"skill":[41,74,88,128,252],"may":[42],"appear":[43],"benign":[44,73],"while":[45,132,189],"concealing":[46],"malicious":[47],"behavior":[48],"inside":[49],"its":[50],"bundled":[51],"model.":[52],"We":[53],"present":[54],"BadSkill,":[55,67],"backdoor":[57],"attack":[58,180,214],"formulation":[59],"targets":[61],"this":[62,97],"model-in-skill":[63],"threat":[64],"surface.":[65],"In":[66,197],"an":[68,121],"adversary":[69],"publishes":[70],"seemingly":[72],"whose":[75],"embedded":[76,102],"backdoor-fine-tuned":[79],"activate":[81],"hidden":[83],"payload":[84],"only":[85],"when":[86],"routine":[87],"parameters":[89],"satisfy":[90],"attacker-chosen":[91],"semantic":[92],"trigger":[93],"combinations.":[94],"To":[95],"realize":[96],"attack,":[98],"we":[99],"train":[100],"the":[101,185,201,218],"classifier":[103],"with":[104,151],"composite":[106],"objective":[107],"combines":[109],"classification":[110],"loss,":[111],"margin-based":[112],"separation,":[113],"poison-focused":[115],"optimization,":[116],"evaluate":[118],"it":[119],"in":[120,239],"OpenClaw-inspired":[122],"simulation":[123],"environment":[124],"preserves":[126],"installation":[129],"enabling":[133],"controlled":[134],"multi-model":[135],"study.":[136],"Our":[137],"benchmark":[138],"spans":[139],"13":[140],"skills,":[141,150],"including":[142],"8":[143],"triggered":[144,187],"tasks":[145],"5":[147],"non-trigger":[148],"control":[149],"combined":[153],"main":[154],"evaluation":[155],"set":[156],"571":[158],"negative-class":[159,195],"queries":[160],"396":[162],"trigger-aligned":[163],"queries.":[164,196],"Across":[165],"eight":[166,186],"architectures":[167],"(494M--7.1B":[168],"parameters)":[169],"from":[170],"five":[171,224],"families,":[173],"BadSkill":[174],"achieves":[175],"up":[176],"99.5\\%":[178],"average":[179],"success":[181],"rate":[182,208],"(ASR)":[183],"across":[184,217],"maintaining":[190],"strong":[191],"benign-side":[192],"accuracy":[193],"poison-rate":[198],"sweeps":[199],"standard":[202],"test":[203],"split,":[204],"3\\%":[206],"poison":[207],"already":[209],"yields":[210],"91.7\\%":[211],"ASR.":[212],"The":[213],"remains":[215],"effective":[216],"evaluated":[219],"scales":[221],"under":[223],"text":[225],"perturbation":[226],"types.":[227],"These":[228],"findings":[229],"identify":[230],"model-bearing":[231],"distinct":[235],"agent":[240],"motivate":[243],"stronger":[244],"provenance":[245],"verification":[246],"behavioral":[248],"vetting":[249],"for":[250],"artifacts.":[253]},"counts_by_year":[],"updated_date":"2026-04-14T06:08:25.285971","created_date":"2026-04-14T00:00:00"}