{"id":"https://openalex.org/W7164930602","doi":"https://doi.org/10.48550/arxiv.2606.15242","title":"Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems","display_name":"Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems","publication_year":2026,"publication_date":"2026-06-13","ids":{"openalex":"https://openalex.org/W7164930602","doi":"https://doi.org/10.48550/arxiv.2606.15242"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2606.15242","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.15242","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2606.15242","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5107310739","display_name":"Y Xie","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xie, Yi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138736190","display_name":"Jiawei Du","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Du, Jiawei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138734973","display_name":"Yu Cheng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Cheng, Yu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5138704036","display_name":"Jiuan Zhou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhou, Jiuan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5068281694","display_name":"Z. Yin","orcid":"https://orcid.org/0000-0003-4532-7544"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yin, Zhaoxia","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.20880000293254852,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.20880000293254852,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1551000028848648,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.07090000063180923,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vetting","display_name":"Vetting","score":0.6499999761581421},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.599399983882904},{"id":"https://openalex.org/keywords/baseline","display_name":"Baseline (sea)","score":0.4489000141620636},{"id":"https://openalex.org/keywords/risk-assessment","display_name":"Risk assessment","score":0.36390000581741333},{"id":"https://openalex.org/keywords/authorization","display_name":"Authorization","score":0.361299991607666},{"id":"https://openalex.org/keywords/intrusion","display_name":"Intrusion","score":0.33469998836517334}],"concepts":[{"id":"https://openalex.org/C2777230681","wikidata":"https://www.wikidata.org/wiki/Q7923820","display_name":"Vetting","level":2,"score":0.6499999761581421},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.599399983882904},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.5292999744415283},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.4578000009059906},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.4489000141620636},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3887999951839447},{"id":"https://openalex.org/C12174686","wikidata":"https://www.wikidata.org/wiki/Q1058438","display_name":"Risk assessment","level":2,"score":0.36390000581741333},{"id":"https://openalex.org/C108759981","wikidata":"https://www.wikidata.org/wiki/Q788590","display_name":"Authorization","level":2,"score":0.361299991607666},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.35440000891685486},{"id":"https://openalex.org/C158251709","wikidata":"https://www.wikidata.org/wiki/Q354025","display_name":"Intrusion","level":2,"score":0.33469998836517334},{"id":"https://openalex.org/C2780966255","wikidata":"https://www.wikidata.org/wiki/Q5474306","display_name":"Foundation (evidence)","level":2,"score":0.3328000009059906},{"id":"https://openalex.org/C162118730","wikidata":"https://www.wikidata.org/wiki/Q1128453","display_name":"Actuarial science","level":1,"score":0.31869998574256897},{"id":"https://openalex.org/C2776207758","wikidata":"https://www.wikidata.org/wiki/Q5303302","display_name":"Downstream (manufacturing)","level":2,"score":0.2955000102519989},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.29159998893737793},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.28949999809265137},{"id":"https://openalex.org/C107826830","wikidata":"https://www.wikidata.org/wiki/Q929380","display_name":"Environmental resource management","level":1,"score":0.2890999913215637},{"id":"https://openalex.org/C21547014","wikidata":"https://www.wikidata.org/wiki/Q1423657","display_name":"Operations management","level":1,"score":0.26510000228881836},{"id":"https://openalex.org/C32896092","wikidata":"https://www.wikidata.org/wiki/Q189447","display_name":"Risk management","level":2,"score":0.26010000705718994},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.25209999084472656}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2606.15242","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.15242","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2606.15242","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2606.15242","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Skills":[0],"are":[1,140],"becoming":[2],"the":[3,176,185,190,205],"capability":[4],"layer":[5],"through":[6],"which":[7],"LLM":[8,227],"agents":[9],"turn":[10],"plans":[11],"into":[12],"actions,":[13],"but":[14],"their":[15],"use":[16],"introduces":[17],"security":[18,200],"risks":[19,138],"such":[20],"as":[21],"data":[22],"leakage,":[23],"unauthorized":[24],"operations,":[25],"and":[26,109,128,215,224],"tool":[27],"misuse.":[28],"Existing":[29],"vetting":[30],"usually":[31],"evaluates":[32],"each":[33],"skill":[34,57,92,114,199,229],"in":[35,45,89,226],"isolation,":[36],"while":[37],"real":[38],"agent":[39,198,228],"tasks":[40],"often":[41],"invoke":[42],"multiple":[43],"skills":[44],"a":[46,56,218],"shared":[47],"execution":[48],"context.":[49],"This":[50],"creates":[51],"Skill":[52],"Composition":[53],"Risk":[54],"(SCR):":[55],"that":[58,139,197],"appears":[59],"benign":[60],"alone":[61],"can":[62],"become":[63],"harmful":[64],"when":[65],"its":[66],"outputs,":[67],"trust":[68],"signals,":[69],"authorization":[70],"cues,":[71],"or":[72,101],"side":[73],"effects":[74],"influence":[75],"later":[76],"invocations":[77],"along":[78],"an":[79],"activated":[80,208],"path.":[81],"We":[82],"introduce":[83],"SCR-Bench":[84,104,216],"to":[85,184],"evaluate":[86],"this":[87],"risk":[88,222],"controlled,":[90],"sandboxed":[91],"environments.":[93],"Rather":[94],"than":[95,211],"relying":[96],"only":[97],"on":[98,169],"textual":[99],"intent":[100],"surface":[102],"behavior,":[103],"records":[105],"downstream":[106],"state":[107],"changes":[108],"path-level":[110],"outcomes":[111],"across":[112],"composed":[113,135],"executions.":[115],"It":[116],"contains":[117],"three":[118],"sub-benchmarks:":[119],"SCR-CapFlow":[120],"for":[121,125,130,220],"capability-flow":[122],"composition,":[123,127,155],"SCR-TrustLift":[124],"trust-transfer":[126],"SCR-AuthBlur":[129],"authorization-confusion":[131],"composition.":[132],"Across":[133],"SCR-Bench,":[134],"paths":[136,209],"expose":[137],"largely":[141],"absent":[142],"under":[143,154,189],"isolated":[144,159,187,212],"evaluation.":[145],"In":[146,161,174],"SCR-CapFlow,":[147],"attack":[148,163],"success":[149,164],"rate":[150,165,178],"reaches":[151],"33.6":[152],"percent":[153,168,182],"compared":[156],"with":[157],"near-zero":[158],"baselines.":[160],"SCR-TrustLift,":[162],"exceeds":[166],"96.5":[167],"four":[170],"of":[171,207],"five":[172],"backends.":[173],"SCR-AuthBlur,":[175],"risky-approval":[177],"increases":[179],"by":[180],"71.8":[181],"relative":[183],"L0":[186],"baseline":[188],"L1":[191],"context":[192],"setting.":[193],"These":[194],"results":[195],"show":[196],"should":[201],"be":[202],"assessed":[203],"at":[204],"level":[206],"rather":[210],"artifacts.":[213],"SCR":[214],"provide":[217],"foundation":[219],"path-aware":[221],"evaluation":[223],"defense":[225],"ecosystems.":[230],"Benchmark:":[231],"https://github.com/saint-viperx/SCR_Bench.":[232]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-06-17T00:00:00"}
