Research Radar: Issue #2

Malicious Or Not: Adding Repository Context to Agent Skill Classification

Authors: Florian Holzbauer, David Schmidt, Gabriel Gegenhuber, Sebastian Schrittwieser, Johanna Ullrich ArXiv: 2603.16572

Stream: S2 — Agent Security | RAXE ID: RAP-2026-005

Executive Takeaway

Current automated scanners flag as many as 41.93% of marketplace skills as malicious, but the paper's repository-aware re-scoring leaves only 15 of 2,887 scanner-flagged skill-repository combinations (0.52%) in malicious-flagged repositories. More urgently, the paper identifies a real, previously undocumented supply-chain attack: adversaries can hijack abandoned GitHub repositories indexed by skill marketplaces, silently replacing legitimate skills before they are downloaded.

Core Finding

The largest empirical study of the AI agent skill ecosystem to date collected 238,180 unique skills from ClawHub, Skills.sh, SkillsDirectory, and GitHub (§3.1, Table 1). The paper asks whether the high malicious-classification rates reported by individual marketplaces reflect real risk or scanner artefacts.

On classification rates, the paper finds the answer is mostly artefact. Across five scanners, fail rates ranged from 3.79% (Snyk on Skills.sh) to 41.93% (the OpenClaw scanner on ClawHub) — a tenfold spread (§5, Table 2). Cross-scanner consensus was negligible: "only 33 out of 27,111 skills (0.12%) are flagged as malicious by all five scanners" (§5, Cross-Scanner Agreement). When the authors applied repository-context scoring to the 2,887 skills flagged by both the Cisco Skill Scanner and their LLM classifier, "only 0.52% remain in malicious flagged repositories" (§6, Takeaway).

In parallel, the paper identifies two structural attack vectors that are both real and underreported: repository hijacking and an API information disclosure bug in ClawHub (§4.0.2).

Technical Mechanism

Repository-context scoring operates in two stages. A codebase score (weighted 70%) uses an LLM to assess whether a skill's description aligns with the surrounding repository's code, README, and documentation. A metadata score (weighted 30%) estimates repository maturity through signals such as age, star count, fork count, and issue activity (§3.3). The composite penalises repositories that appear aligned but exhibit other suspicious characteristics.

Repository hijacking exploits the link-out distribution model used by Skills.sh and SkillsDirectory. Both platforms index skills by pointing to GitHub repository URLs rather than hosting files directly. When an original repository owner renames their GitHub account, the previous username becomes available for registration. An adversary who claims that username and recreates the repository will intercept future skill downloads. The authors found "121 skills that forward to seven vulnerable repositories," with the most-downloaded hijackable skill having reached 2,032 downloads (§4.0.2). ClawHub is not affected because it hosts skills directly.

The ClawHub API disclosure is a separate finding. The marketplace's API returns the GitHub-linked email address for each skill owner, even though this field is not exposed in the ClawHub web interface nor on default GitHub profiles (§4.0.2).

A static secrets scan using a modified TruffleHog found 12 functioning credentials embedded across the corpus, covering NVIDIA, ElevenLabs, Gemini, MongoDB, and others (§4.0.1).

Defender Impact

Immediate action — audit skill distribution dependencies. Organisations that allow AI agents to install third-party skills should identify which marketplace(s) they use. If the marketplace links out to GitHub repositories rather than hosting skills directly, every indexed skill is a potential hijacking target. Defenders should pin skills to specific commit hashes rather than mutable branch heads, and monitor for repository-ownership changes on skills already installed.

Scanner tuning. Single-scanner alerts on skill repositories should not be treated as high-confidence findings. Given the 0.12% five-scanner consensus rate, treating any single-scanner flag as a confirmed threat will generate unmanageable noise. (RAXE assessment) A practical threshold is to require at minimum two independent scanners to flag a skill, supplemented by manual repository review for high-value environments.

Credential hygiene. Developers publishing agent skills should run secrets-scanning tooling (TruffleHog or equivalent) before committing, with API credential rotation as a mandatory step if a live credential is found in history.

Marketplace selection. ClawHub's direct-hosting model is more resistant to supply-chain hijacking than the link-out model. Organisations choosing skill marketplaces for their agent deployments should factor distribution architecture into their vendor assessment. The authentication gap at Skills.sh — which has no publisher authentication at all — is an additional concern (§4.0.2).

Limitations and Open Questions

The 15 repositories flagged after repository-context re-scoring are not confirmed malicious; this is the paper's authors' own acknowledgement (§6). The manual validation sample covers only 18 repositories. Repository-context scoring uses LLM analysis — adversaries who understand the scoring rubric could engineer repositories that pass it while hiding malicious intent. The skill-growth curves in Figure 2 show rapid ecosystem expansion; the attack surface is growing faster than measurement cadence. The 12 live credentials were valid at collection time but current status is unknown.

Radar Rating

SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Chain Attacks

Authors: Zhuoran Tan, Wenbo Guo, Taylor Brierley, Jiewen Luo, Jeremy Singer, Christos Anagnostopoulos ArXiv: 2603.16694

Stream: S3 — Supply Chain | RAXE ID: RAP-2026-006

Executive Takeaway

Single-source telemetry is structurally insufficient for complete reconstruction of advanced software supply chain attacks. SynthChain quantifies this gap across seven representative attack scenarios grounded in real malicious packages and exploit campaigns, and recommends pairing complementary telemetry streams plus IAM/API audit logs for cloud and CI/CD paths.

Core Finding

The central claim of SynthChain is that single-source telemetry is not a detection tuning problem — it is a structural observability problem. The paper states this directly: "single-source detection is inherently incomplete for advanced supply-chain attacks: even an ideal detector operating on a single stream cannot recover a complete compromise chain when required evidence is missing by design" (Section 1).

The authors back this with measurement. Across seven controlled supply chain attack scenarios, the best single telemetry stream achieved weighted tag/step coverage of only 0.391 and mean chain reconstruction of 0.403 (Section 1). In plain terms, the best single log source covered less than 40% of the attack chain steps, even under laboratory conditions with full knowledge of what to look for.

Adding a second complementary source raised those figures to 0.636 coverage and 0.639 reconstruction — approximately a 1.6x gain (Section 1). Critically, the paper also finds that gains are not monotonic with source count: adding more sources that duplicate existing evidence introduces noise without improving detection. Complementarity of the sources chosen matters more than volume of logs collected (Section 1, cross-scenario analysis Section 7).

Technical Mechanism

SynthChain is a near-production testbed comprising four physical hosts (Windows and Linux) and one containerised environment. It replays seven attack scenarios grounded in real malicious packages drawn from a statistical analysis of 16,272 packages from the OpenSSF corpus (Section 3.2). That analysis itself is instructive: 15,583 of those packages activate at install or download time, and Base64-based encoding is the dominant evasion technique — appearing in over 5,000 packages. Exotic evasion like steganography is statistically rare but present in targeted advanced scenarios.

The seven scenarios span a representative spectrum: steganography-based payload delivery (SC1: Stegano), persistence via Windows startup folder (SC2: Starter), parallel npm dependency chain attack (SC3: Parallel), sequential npm dependency chain (SC4: NPMEX), the 3CX multi-stage backdoor (SC5: 3CX), a cloud CI/CD pipeline attack targeting identity and access management (SC6: CloudEX), and a neural network model backdoor injected via a malicious model dependency (SC7: LayerInj) (Sections 4.3, 6.3).

Telemetry is collected across process lineage, Windows Event Logs, Syslog, Zeek network captures, Suricata alerts, and eBPF-based container instrumentation. ATT&CK annotations were generated using Mythic C2 exports for operator-driven steps, and GPT-5.1 proposals with human validation for payload-originated behaviours (Section 4.1.1).

Defender Impact

First, audit your telemetry architecture. If your SIEM or EDR ingests only one primary log type (endpoint telemetry or network capture but not both), SynthChain's data suggests you are structurally capped below 40% chain reconstruction for advanced supply chain intrusions. The paper frames this as an observability limit rather than a simple rule-tuning gap.

Second, prioritise complementary sources over log volume. In the benchmark, the strongest two-source combinations outperformed any single source on reconstruction metrics. The relevant metric is whether the sources share joinable identifiers (process ID, user identity, network endpoint) to connect attack phases across sources (Section 7, CSA-1 and CSA-4).

Third, invest in IAM and API audit logging for cloud and CI/CD environments. The cloud pipeline scenario (SC6: CloudEX) achieved a step reconstruction score of only 0.25 even with multiple conventional log sources, because critical actions occurred in the cloud identity and API layer rather than on host endpoints. The paper explicitly recommends IAM/API audit streams as the targeted addition that yields "outsized gains for structurally hard cases" (Section 7, CSA-4). (RAXE assessment: this aligns with our findings on AI model supply chain attacks — RAXE-2026-024 — where package-level scanning misses post-deployment model tampering.)

Fourth, treat model-layer supply chain attacks as a distinct detection category. The SC7 (neural network model backdoor) scenario demonstrated that adding more host and network log sources can actually reduce detection precision, because the malicious behaviour is semantic — embedded in model weights — rather than expressed as anomalous OS-level events. Conventional telemetry cannot distinguish benign from malicious model loading (Section 6, SC7 case study). Dedicated model integrity checking and inference-time monitoring are required (RAXE assessment).

Limitations and Open Questions

The testbed covers seven scenarios across four hosts — rich for a research benchmark, but not representative of production-scale diversity. Benign background noise is simulated, not real user activity, which may inflate detection metrics. The study explicitly excludes macOS and cloud-native (serverless, SaaS) environments. The coarse rule-based chain reconstruction may under- or over-count steps where log schemas differ from the assumed canonical fields (Section 9).

The paper recommends IAM/API audit streams for cloud attack paths but does not evaluate that recommendation — the SC6 result remains at 0.25 with no measured uplift from the suggested fix. How much improvement those streams would deliver in practice is an open question. It is also unknown whether the two-source fusion result reproduces in real SIEM deployments with schema heterogeneity and retention limits.

Radar Rating

Agent Privilege Separation in OpenClaw: A Structural Defense Against Prompt Injection

Authors: Darren Cheng, Wen-Kwang Tsao ArXiv: 2603.13424

Stream: S4 — Prompt Injection | RAXE ID: RAP-2026-008

Executive Takeaway

Splitting an LLM agent into a privilege-separated Reader (no action tools) and Actor (no raw input) reduces prompt injection success by 323x on an established benchmark. The full pipeline — adding JSON-structured inter-agent communication — achieves 0% attack success rate against 649 attacks that bypassed the single-agent baseline. Organisations running multi-tool agents should adopt privilege separation as a baseline architectural requirement.

Core Finding

The paper proposes a two-mechanism architectural defence against prompt injection in LLM agents, evaluated on the Microsoft LLMail-Inject benchmark running inside OpenClaw. The benchmark funnels 461,640 attack submissions down to 22,899 unique payloads, of which 649 succeed against a gpt-5-mini single-agent baseline — itself already a 2.83% ASR, placing it in the same range as GPT-4o-mini with all five original LLMail defences combined (§4.3, §5.3).

The four-condition ablation against these 649 attacks yields clear results: agent isolation alone achieves 0.31% ASR (2 attacks survive, 323x improvement); JSON formatting alone achieves 14.18% ASR (92 attacks, 7.1x improvement); the full pipeline combining both achieves 0% ASR (§4.1). The ablation confirms that "agent isolation is the dominant mechanism" and that "JSON formatting provides additional hardening but is not sufficient on its own" (§4.1).

The paper's strongest claim is architectural: "the action agent never receives raw injection content regardless of model behavior on any individual input" (§5.1). This is a structural guarantee, not a statistical one.

Technical Mechanism

The single-agent baseline — one agent that both reads untrusted emails and holds the send_email tool — splits into two cooperating agents with disjoint tool access (§3).

Agent 1 (Reader) has access only to store_summary. It processes raw email content and produces a JSON-structured summary with validated fields (sender, subject, body summary, action items). It cannot invoke send_email — this constraint is enforced by the platform's tool registration, not by prompt instructions (§3, §5.1).

Agent 2 (Actor) has access to send_email, get_pending_summary, and store_result. It reads only the Reader's JSON output. It never sees raw email content (§3).

A lightweight regex-based validator inspects summaries between agents, targeting email address literals, tool-call syntax fragments, and common injection trigger phrases. In experiments, the validator runs in audit mode to enable clean measurement (§3). Notably, 63.7% of injection content still leaks into the Reader's summaries (§6). The defence does not prevent content propagation — it prevents actionable content propagation.

Defender Impact

The core principle is immediately adoptable. Any organisation running multi-tool LLM agents should separate the component that processes untrusted content from the component that holds dangerous tools (send, execute, delete, post). This separation should be enforced at the platform level (tool registration), not at the prompt level (§5.1).

Scenario 4 exfiltration attacks are fully blocked in this benchmark. Scenario 4 (data exfiltration) had 28.3% ASR under JSON-only defence but 0% under both two-agent configurations (§4.2).

Applicable beyond email agents. (RAXE assessment) The Reader/Actor pattern maps to any agent that reads untrusted content and takes actions: code assistants, customer-service bots, or MCP-integrated tools. This directly addresses the class of vulnerabilities seen in RAXE-2026-014 (MCP path traversal) and RAXE-2026-022 (Claude Code domain bypass).

Limitations and Open Questions

Only gpt-5-mini was tested; transfer to Claude, Gemini, or open-weight models is not demonstrated. The 649-attack corpus does not include adaptive attacks designed to target the two-agent architecture — the authors acknowledge this gap (§6). The regex-based validator is acknowledged as evadable. No performance overhead is reported. The 63.7% leak rate means that if future attacks encode executable instructions into structured JSON fields, defence degrades (§6).

Radar Rating

VeriGrey: Greybox Agent Validation

Authors: Yuntong Zhang, Sungmin Kang, Ruijie Meng, Marcel Bohme, Abhik Roychoudhury ArXiv: 2603.17639

Stream: S2 — Agent Security | RAXE ID: RAP-2026-009

Executive Takeaway

VeriGrey adapts greybox fuzzing — the dominant technique in traditional software vulnerability discovery — to autonomous LLM agents. By using tool invocation sequences as coverage feedback and context-bridging mutations to craft semantically plausible injection prompts, it achieved 33 percentage points higher attack success than black-box methods on AgentDojo, 90% attack success against Google's Gemini CLI, and 100%/90%/80% success rates in triggering malicious supply-chain skills in OpenClaw across three LLM backends.

Core Finding

The central contribution is a two-part innovation transplanted from software fuzzing into the agent security domain. First, VeriGrey replaces traditional branch coverage with tool-call sequence tracking: the ordered list of tools an agent invokes becomes the feedback signal that guides prompt exploration. Prompts that trigger previously unseen tool sequences are prioritised, ensuring systematic coverage of the agent's behavioural space. Second, a context-bridging mutation operator rewrites injection payloads so that the malicious task appears to be a necessary step in completing the legitimate user task. Ablation results confirm this is the dominant factor: removing context bridging reduced overall injection success by 25.8 percentage points, versus 11.1 points for removing the feedback mechanism (Section 5.4, Table 2).

Critically, the approach was validated against production systems, not just benchmarks. Against Gemini CLI with Gemini-2.5-Pro backend, VeriGrey found 9 of 10 injection attack paths including SSH key exfiltration, bash history theft, and malicious cron job installation (Section 6, Table 5). Against OpenClaw, simple SKILL.md documentation rewrites — framing malicious installs as natural workflow steps, emphasising agent autonomy, fabricating usage examples — bypassed safety mechanisms with near-total success rates across Kimi-K2.5, Opus 4.6, and GPT-5.2 backends (Section 7.3, Table 6).

Technical Mechanism

VeriGrey operates as a two-part system transplanted from software fuzzing into the agent security domain.

Tool-call sequence feedback replaces traditional branch coverage. Instead of measuring which code paths are exercised, VeriGrey tracks the ordered sequence of tools an agent invokes during each execution. Prompts that trigger previously unseen tool-call sequences are prioritised via energy-based seed scheduling, ensuring systematic exploration of the agent's behavioural space rather than random prompt mutation (Section 3.2).

Context-bridging mutation rewrites injection payloads so that the malicious task appears to be a logically necessary step in completing the legitimate user task. Rather than inserting a disconnected instruction ("ignore previous instructions and..."), context bridging constructs a narrative link between the user's original goal and the attacker's desired action. Ablation confirms this is the dominant factor: removing context bridging reduced overall injection success by 25.8 percentage points, versus 11.1 points for removing the feedback mechanism and 4.5 points for removing prompt sandwiching (Section 5.4, Table 2).

Defender Impact

Prompt-level defences are insufficient. Prompt sandwiching reduced VeriGrey's success by only 4.5 percentage points; data delimiters by 2.1 points (Section 5.5, Table 3). These defences assume injections are syntactically distinguishable from legitimate content, which context bridging deliberately defeats.

Tool filtering is the most effective current defence — reducing VeriGrey's success to 17.4% while maintaining 81.7% legitimate task completion (RAXE assessment: this validates architectural over prompt-level controls). Organisations deploying agents with MCP integrations or skill marketplaces should implement tool whitelisting as a minimum countermeasure.

Supply-chain vetting needs to go beyond code scanning. The OpenClaw results demonstrate that malicious intent can be hidden in documentation (SKILL.md), not code. Current scanners (KOI, Snyk) flagged the original malicious skills, but the mutated documentation variants evaded detection entirely. Skill marketplace operators need documentation-level threat analysis, not just static code review (RAXE assessment).

Limitations and Open Questions

Scope is limited to single-session scenarios; multi-session attacks and persistent memory poisoning are not addressed (Section 9). Real-world testing covers only two agents (Gemini CLI, OpenClaw). Defence evaluation is limited to four established mechanisms — more recent architectural defences (dual-LLM, capability-based access control) are not evaluated. Budget sensitivity is unexplored: all experiments use 100 execution budget, and how results degrade under rate limiting is unknown. Cost per campaign is not reported. The responsible disclosure status of the Gemini CLI and OpenClaw vulnerabilities is not stated in the paper.

Radar Rating