Skip to content

LLMSecurity/awesome-agent-skills-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

58 Commits
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Awesome Agent Skills Security Awesome

πŸ›‘οΈ A curated list of resources on securing AI agent tool use and skill ecosystems β€” attacks, defenses, frameworks, benchmarks, and standards.

AI agents increasingly use external tools, plugins, and skills to interact with the world. This creates a new attack surface: agent skills security. This list covers the threats, defenses, and research landscape for securing these capabilities.

Contents


Threat Frameworks & Standards

Surveys & Systematizations

Attack Research

Prompt Injection via Tools

Tool Poisoning & Supply Chain

Privilege Escalation & Excessive Agency

Data Exfiltration & Privacy

Indirect Prompt Injection

Agent Deception & Manipulation

Compound System Attacks

Cross-Plugin Attacks

Backdoor Attacks on Agents

Jailbreaking & Guardrail Bypass

Defense Research

Permission & Access Control

  • πŸ“„ Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing β€” Alsheich et al., 2026. ANTAP routes tasks to agents based on empirically verified capability rather than self-declared textual descriptions, resisting description-based injection, embedding attacks, and covert-backdoor impersonation where malicious agents misrepresent their proficiencies.
  • πŸ“„ PAuth: Precise Task-Scoped Authorization For Agents β€” Sharma et al., 2026. Implicit authorization model where NL task submission authorizes only required operations; uses NL slices and envelopes for provenance-based server-side verification, blocking injected operations in AgentDojo with zero false positives.
  • πŸ“„ Securing Multi-Tool AI Agent Chains With Dynamic, Real-Time Compositional Policies β€” Schneider et al., 2026. Proposes the Dynamic Security Control Compositor (DSCC), which enforces compositional security policies over multi-tool agent chains by combining static analysis with runtime data-flow tracking.
  • πŸ“„ TrustAgent: Towards Safe and Trustworthy LLM-based Agents β€” Agent Constitution for safety-aware planning with pre/post-action inspection.
  • πŸ“„ Autoformalization of Agent Instructions into Policy-as-Code β€” Mondl et al., 2026. Uses an LLM generator-critic loop to automatically translate natural-language agent instructions and policy documents into formally enforceable Cedar policies, achieving broader coverage than hand-coded symbolic enforcement while avoiding the no-guarantees weakness of probabilistic guardrails on medical agent benchmarks.
  • πŸ“„ Governing Actions, Not Agents: Institutional Attestation as a Governance Model for Autonomous AI Systems β€” Salfeld-Nebgen et al., 2026. Formalizes an institutional governance model where an autonomous agent keeps full planning autonomy but must present independently attested evidence at the point of consequential, irreversible action (e.g., clinical prescribing, production deployment) rather than having its reasoning monitored.
  • πŸ“„ A Deterministic Control Plane for LLM Coding Agents β€” Madatha, 2026. Proposes Rel(AI)Build, treating coding-agent definitions as a managed supply chain with content addressing, permission enforcement, and audit logging, arguing governance of the agent-config layer must be deterministic and tool-agnostic rather than delegated to further LLM orchestration.
  • πŸ“„ A Dual-Helix Governance Approach for Reliable Agentic AI β€” 3-track architecture (Knowledge, Behavior, Skills) using knowledge graphs.
  • πŸ“„ Talk Freely, Execute Strictly: Schema-Gated Agentic AI β€” Schema-gated orchestration for trustworthy agent deployment in regulated domains.
  • πŸ“„ ESAA-Security: Event-Sourced Architecture for Agent-Assisted Security Audits β€” 26 tasks, 95 checks, append-only event logs for reproducible AI code audits.
  • πŸ“„ Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare β€” Maiti, 2026. Production-deployed zero-trust architecture for 9 autonomous AI agents: gVisor kernel isolation, credential proxy sidecars, network egress allowlisting, and prompt integrity framework with untrusted content labeling. Open-source configs released.
  • πŸ“„ Sovereign Execution Brokers: Enforcing Certificate-Bound Authority in Agentic Control Planes β€” He & Yu, 2026. Runtime enforcement layer that intercepts autonomous agent requests and verifies them against cryptographically-issued certificates before allowing infrastructure mutations, ensuring production changes cannot originate from agent reasoning alone.
  • πŸ“„ The Unfireable Safety Kernel: Execution-Time AI Alignment for AI Agents and Other Escapable AI Systems β€” Dobrin & Chmiel, 2026. Rust-based, formally verified safety kernel that enforces authorization on agent actions through process separation and cryptographic verification, designed to resist self-modification and escape attempts so an agent cannot circumvent its own safety controls at runtime.
  • πŸ“„ A First Measurement Study on Authentication Security in Real-World Remote MCP Servers β€” Zhou et al., 2026. Large-scale measurement of 7,973 remote MCP servers finding widespread unauthenticated exposure and pervasive OAuth flaws, with 9 CVEs from responsible disclosure.
  • πŸ“„ CmdNeedle: Measuring the Incompleteness of Command Denylists for AI Agents β€” Chen et al., 2026. Shows that the denylist component of terminal agents' three-list command-gating mechanism β€” including Claude Code's built-in list β€” is systematically incomplete against the large, ever-expanding set of shell commands shipped by modern operating systems.
  • πŸ“„ SecureClaw: Clawing Back Control of LLM Agents β€” Ma et al., 2026. Dual-boundary security architecture placing authorization at the effect sink and plaintext confinement at the read boundary, using opaque handles and a PREVIEWβ†’COMMIT protocol to block unauthorized external actions and sensitive-data leakage in tool-using agents.
  • πŸ“„ SessionBound: Turning Enterprise Task Approval into Budgeted Database Sessions β€” Wu, 2026. Confines enterprise agent-generated SQL to pre-approved business tasks via short-lived, budgeted, auditable database sessions β€” the agent may generate queries freely, but every attempt must stay inside the approved boundary β€” enforcing safety through database-layer access controls, query budgets, and disclosure limits rather than trusting the LLM to self-police.
  • πŸ“„ Janus: A Playground for User-Involved Agentic Permission Management β€” Brigham et al., 2026. Playground system implementing six permission assistants across a design space of user involvement in agentic tool-call authorization; shows user input meaningfully strengthens privacy and security, AI augmentation of user decisions reduces cognitive load, and permission fatigue must be modeled since no single design is optimal across contexts. Code.
  • πŸ“„ aiAuthZ: Off-Host, Identity-Bound Authorization for AI Agents β€” Kodathala, 2026. Off-host authorization gateway that binds tool calls to verified user authority via HMAC-SHA256 signatures and role-based policies, blocking deceived agents from executing actions beyond granted permissions rather than trusting the model's own refusals over unverifiable text context.
  • πŸ“„ Steerability via Constraints: A Substrate for Scalable Oversight of Coding Agents β€” Winninger, ICML 2026 Deep Learning for Code Workshop. Argues the controls long used to manage large human engineering teams β€” access control, network policies, tooling-enforced coding conventions β€” transfer directly to unconstrained coding agents (whose autonomy introduces security risks) and are cheaper in tokens than agentic scaffolding; a controlled experiment shows a small reviewer's recall on 11 inserted backdoors rising from 54.5% to 90.9% when given a constrained substrate plus a ~200-LoC docs CLI.
  • πŸ“„ Context-to-Execution Integrity for LLM Agents β€” Santos-Grueiro, 2026. CXI is an execution-boundary system that marks protected sink fields, carries narrow validated values from writable context via typed releases, keeps evidence in opaque data slots, and admits a tool call only when field authority, exact-effect authorization, and invocation authority all bind to the same action manifest β€” yielding zero field/effect/invocation escapes across 720 AgentDojo episodes and 400 code-agent episodes.
  • πŸ“„ Reason Less, Verify More: Deterministic Gates Recover a Silent Policy-Violation Failure Mode in Tool-Using LLM Agents β€” Reddy et al., 2026. Identifies "silent wrong-state" failures where policy-permissive tools execute forbidden state transitions without any error, and shows lightweight deterministic read-only pre-execution gates raise τ²-bench airline success from 29.6% to 42.0% by blocking policy-violating writes at the action boundary.
  • πŸ“„ ScopeJudge: Cost-Aware Pre-Execution Gating for Offensive Security Agents β€” Caldwell et al., 2026. Pre-execution gate in which a lightweight LLM judge inspects each offensive-security agent tool call against the engagement scope inferred from the user's request β€” treating the boundary as intent-declared rather than a fixed policy β€” to block out-of-scope actions before they execute.

Runtime Monitoring & Sandboxing

Input/Output Validation

Formal Verification & Analysis

Evaluation & Red Teaming

Benchmarks & Datasets

Benchmark Focus Size Paper
ASB Comprehensive agent security 10 agents, 398 envs Zhang et al.
InjecAgent Indirect prompt injection 1,054 test cases Zhan et al.
R-Judge Safety risk awareness 162 records, 27 scenarios Yuan et al.
ToolSword Tool learning safety 6 scenarios, 3 stages Ye et al.
AgentDyn Dynamic prompt injection Open-ended, extensible Li et al.
SkillSafetyBench Skill-mediated agent safety 155 cases, 47 tasks Jin et al.
SkillVetBench Security risk eval of open-source agent skills Live leaderboard Hossain et al.
SCR-Bench Skill composition risk Multi-skill chains Xie et al.
SafeClawBench Staged harm in tool-using agents 600 adversarial tasks Tian et al.
ToolPrivacyBench Purpose-bound privacy in tool-using agents 2,150 cases Hu et al.
TAB Selective cue following in terminal agents 89 terminal tasks Mavali et al.
Skill-Inject Skill file attacks Multi-scenario Schmotz et al.
NAAMSE Evolutionary agent security eval Adaptive red-teaming Pai et al.
AgentHarm Agent misuse 110 behaviors, 440 variants Andriushchenko et al.
SkillGuard Dataset Malicious skill detection 157 malicious skills Liu et al.
WIPI Web-based indirect injection Multi-scenario Liu et al.

Tools & Frameworks

Tool Description Link
Agent Memory Guard OWASP reference implementation for ASI06 (Memory Poisoning): runtime defense that screens every agent memory read/write through detectors + a declarative policy, with source-class provenance, forensic SecurityEvents, and snapshot rollback. LangChain/OpenAI-Agents/AutoGen/CrewAI/mem0 integrations GitHub
Bounty Sieve Offline-by-default bounty intake guardrail for coding agents: read-only GitHub issue/URL-list import, deterministic triage, local decision briefs, and human approval gates GitHub
SkillGuard LLM-native agent skill security auditor (OWASP Agentic + MITRE ATLAS) GitHub
Pipelock Open-source AI agent firewall and MCP-aware egress proxy with DLP, prompt injection scanning, process sandboxing, and mediator-signed action receipts GitHub
NemoClaw NVIDIA reference stack for running always-on AI agents more safely in sandboxes, with network policy, hardening, routed inference, and lifecycle controls GitHub
CubeSandbox Hardware-isolated (per-kernel) sub-60ms sandbox for secure AI agent code execution, with an out-of-sandbox credential vault, eBPF network isolation, and domain-allowlisted egress controls with audit logging GitHub
Invariant Guardrails Policy-based agent security guardrails GitHub
Armorer Guard Local Rust scanner for AI-agent prompt injection, credential redaction, sensitive-data requests, exfiltration-style text, and dangerous tool-call context GitHub
LLM Guard Input/output scanning for LLM applications GitHub
Rebuff Self-hardening prompt injection detector GitHub
NeMo Guardrails NVIDIA's toolkit for adding guardrails to LLM-based applications GitHub
Lakera Guard Enterprise prompt injection defense API Website
Promptfoo LLM red teaming and evaluation framework GitHub
Garak LLM vulnerability scanner GitHub
IPI-Proxy Intercepting proxy for red-teaming web-browsing agents against indirect prompt injection on live whitelisted domains GitHub
Tuning Engines CLI MCP server and CLI for governed agent/skill/tool access with policy checks, approvals, traces, and role-scoped registries GitHub
AgentSkillsScanner Static analysis scanner for agent skill definitions GitHub
SkillTotal Static, offline scanner for AI components (MCP servers, agent skills, npm/PyPI packages, repos): supply-chain risk, dangerous capabilities, prompt-injection, exfiltration; deterministic, evidence-anchored, SARIF + pre-commit/GitHub Action GitHub
SkilLock Behavior-pinning lockfile + capability-delta PR review for Claude Code & Codex skills; SARIF output for Code Scanning GitHub
agent-diff-guard Pre-push guardrail that flags high-risk coding-agent diffs such as CI/CD changes, dependency edits, test deletions, hardcoded secrets, and task-scope drift before merge GitHub
Skillid Policy-driven Claude Code plugin that combines skill guidance with per-tool hooks to enforce org guardrails, confirmation rules, redaction, and connector-specific access control GitHub
Agent Audit Security analysis system for LLM agent apps: dataflow analysis, credential detection, MCP config parsing, privilege-risk checks Zhang et al.
mcp-sec-audit MCP server security toolkit: static pattern matching + dynamic sandboxed fuzzing via Docker/eBPF for detecting over-privileged tool capabilities Huang et al.
Assay Harness CI gate that checks an agent's claimed tool side-effects (filesystem, network, process) against independently observed runtime evidence, classifying each claim as supported, degraded, blocked, or not-evaluable (observed support is the ceiling) GitHub
Agent Scan Snyk's scanner for local agent supply chains, covering MCP servers and skills with checks for prompt injection, tool poisoning, toxic flows, and malware-laced skill files GitHub
DScan Open-source agent security suite for runtime tool-call tracing, prompt-injection shielding, MCP audits, adversarial testing, and sequence-level attack detection GitHub
Sayfos SDK Runtime guardrail SDK for AI agents with provenance checks, budget governance, plan preflight, and adjudication tokens before high-risk tool actions GitHub
PIC Standard Local-first standard and reference verifier that checks agent intent, provenance, and evidence at the action boundary and fails closed before high-impact tool calls; Python CLI, MCP/LangGraph/OpenClaw integrations, HTTP bridge, and a language-agnostic conformance suite GitHub
agent-sentinel eBPF/BPF-LSM prototype that monitors local agent behavior and atomically blocks prompt-injection-driven access to sensitive files at the kernel boundary GitHub
mcp-sploit Metasploit-style framework for authorized security testing of MCP servers and MCP security gateways, including enumeration and exploit modules for unsafe tool exposure GitHub
Clawvisor AI agent gateway for purpose-based authorization, credential vaulting, and audit logging β€” agents declare task scope, humans approve once, Clawvisor enforces on every request without the agent ever seeing credentials GitHub
trentclaw Security assessment skill for OpenClaw environments: scans gateway config, skill permissions, MCP trust boundaries, and plugins, and correlates them into chained attack paths with severity-ranked remediation steps GitHub
Nobulex Trust Capital scoring layer for AI agents: bilateral Ed25519 receipts (pre- and post-execution signatures), content-addressed via action_ref and hash-chained per RFC 8785, that accumulate into a published 300-850 reputation score gating agent autonomy. CTEF v0.3.2 14/14 conformance. Python + TypeScript SDKs. Receipt-signing approach merged into Microsoft AGT. GitHub

Agent Skill Specifications

Specification Org Focus
AgentSkills.io Open Standard Agent skill definition and security requirements
Model Context Protocol (MCP) Anthropic Tool/resource integration protocol for LLMs
OpenAI Function Calling OpenAI Tool use specification for GPT models
Tool Use (Claude) Anthropic Claude's native tool use interface
LangChain Tools LangChain Tool abstraction for agent frameworks
AutoGPT Plugins AutoGPT Plugin system for autonomous agents
OpenAPI/Swagger Linux Foundation API specification commonly used as tool definitions

Industry Reports & Blog Posts

Related Awesome Lists

Contributing

Contributions are welcome! Please read the contribution guidelines before submitting a pull request.

How to Contribute

  1. Fork the repository
  2. Add your resource in the appropriate category
  3. Use the format: - πŸ“„ **[Title](URL)** β€” Authors, Venue Year. One-sentence description.
  4. Submit a pull request

Criteria

  • Resources must be directly related to agent/tool/skill security
  • Papers should be published or on arXiv
  • Tools should be actively maintained (commits within last 6 months)
  • Blog posts should provide substantial technical analysis

Citation

If you find this list useful in your research, please cite:

@misc{awesome-agent-skills-security,
  author = {Liu, Yi},
  title = {Awesome Agent Skills Security},
  year = {2026},
  publisher = {GitHub},
  journal = {GitHub Repository},
  howpublished = {\url{https://github.com/LLMSecurity/awesome-agent-skills-security}}
}

License

CC0

This list is released under CC0 1.0 Universal.

About

πŸ›‘οΈ A curated list of resources on agent skills security: attacks, defenses, frameworks, and benchmarks for securing AI agent tool use and skill ecosystems

Topics

Resources

Contributing

Stars

40 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors