[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-85611-en":3,"doc-seo-85611-105":29,"detail-sidebar-cat-0-en-105":83},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},85611,3848291630094,"Emma Wilson","https://eur-avatar.wpscdn.com/davatar_085a072bc5b1113ac321206ff7593b45",6,"Technology","SkillGuard A Permission-Centric Framework for Agent Skill Security","Skills extend LLM agents with reusable instructions, scripts, data, and tool bindings, turning them into an active security principal that can reshape agent reasoning before tool calls and steer actions with real-world side effects. Current defenses separate inspection or tool-level constraints, leaving weak governance across skill intent, contextual influence, and runtime behavior. SKILLGUARD proposes a skill-centric permission framework with dual-plane regulation of context influence and action side effects, validated on 1,260 skills and adversarial SkillInject evaluations.","SkillGuard: A Permission-Centric Framework for  \nAgent Skill Security  \nShidong Pan 1∗†, Xiaoyu Sun2∗, Tianyi Zhang2 , Dianshu Liao2 , Kaiwen Yang2 , Zhenchang Xing 1 ,2  \n1 CSIRO, 2Australian National University  \narXiv :2606 .03024v2 [ cs .CR] 13 Jul 2026  \nAbstract—Skills extend LLM agents with reusable instructions, scripts, data, and tool bindings. This shift makes skills a new security principal in agent systems: a skill can alter the agent’s reasoning before any tool is called, and it can also steer the agent toward actions with concrete side effects. However, current skill ecosystems lack a permission model that captures this dual role. Existing defenses either inspect skill files before use or constrain individual tool calls during execution, leaving the connection between skill-level intent, contextual influence, and runtime behavior weakly governed. In this paper, we present SKILLGUARD, a skill-centric permission framework that treats skills as permission-bearing executable artifacts. SKILLGUARD introduces a dual-plane governance model that jointly regulates context influence and action side effects through skill manifests, runtime permission control, user interaction, and policy enforcement. We evaluate the permission taxonomy expressiveness on 1,260 real-world skills, and 99.93% of observed protected objects are covered. In adversarial evaluations on SkillInject dataset, SKILLGUARD reduces attack success rate from 35.3% to 20.7% for contextual injections and from 36.7% to 18.0% for obvious injections, while decently maintaining benign task completion. These results suggest that SKILLGUARD, as a skillcentric permission framework, can provide a practical foundation for improving the security of agent skill ecosystems.  \nIndex Terms—LLM agents, agent skills, permission framework, access control, skill security, AI security  \nI. INTRODUCTION  \nThe rapid evolution of large language model (LLM) agents has led to a new programming paradigm centered around agent skills: modular, reusable packages that encapsulate natural language instructions, code specification, tool bindings, scripts, and contextual dependencies [1], [2] . These skills are increasingly used to extend agent capabilities in real-world systems, enabling complex workflows such as software engineering [3], data analysis [4], and enterprise automation [5] . However, this shift also introduces a fundamentally new software security and privacy challenge: skills are not merely passive resources but active behavioral units that can shape both what an agent knows and what it does.  \nRecent studies have demonstrated that LLM agents are vulnerable to a wide range of attacks, including prompt injection [6], memory poisoning [7], and malicious tool usage [8], which can lead to unauthorized actions such as data exfiltration or financial transactions. These risks are further amplified in the skill-based ecosystem [9]–[11], where third-party or dynamically loaded skills may introduce hidden instructions,  \n† Shidong Pan completed most of this work while he was a visiting research scientist at CSIRO’s Data61  \n∗ Both authors contributed equally to this research  \nimplicit contextual dependencies, or transitive interactions across tools, agents, and external services. Skills are often loosely composed of natural language, code, and data. While such customized components provide flexibility and convenience for skill developers, their heterogeneous and semistructured nature poses significant challenges for program analysis, thereby limiting the ability to inspect, constrain, and verify their behavior across diverse attack surfaces. A further challenge is that unsafe behavior need not be adversarial. Even benign skills may induce accidental violations of security constraints because LLM agents operate nondeterministically [12],[13], and may select unsafe intermediate actions while attempting to complete an otherwise legitimate task.  \nThese challenges are particularly difficu","cbCaisTjkxdLmKma","https://ap.wps.com/l/cbCaisTjkxdLmKma","pdf",1954710,1,12,"English","en",105,"# Introduction\n## Agent skills and emerging security risks\n## Dual-plane governance problem","[{\"question\":\"What experimental evidence is reported for SKILLGUARD?\",\"answer\":\"The paper evaluates permission taxonomy expressiveness on 1,260 real-world skills and reports that SKILLGUARD covers 99.93% of observed protected objects, while adversarial SkillInject evaluations reduce attack success rates with maintained benign task completion.\"}]",1784204919,30,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":78,"head_meta":80,"extra_data":82,"updated_unix":27},"skillguard-a-permission-centric-framework-for-agent-skill-security","",{"@graph":35,"@context":77},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/skillguard-a-permission-centric-framework-for-agent-skill-security/85611/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71],{"name":72,"@type":73,"acceptedAnswer":74},"What experimental evidence is reported for SKILLGUARD?","Question",{"text":75,"@type":76},"The paper evaluates permission taxonomy expressiveness on 1,260 real-world skills and reports that SKILLGUARD covers 99.93% of observed protected objects, while adversarial SkillInject evaluations reduce attack success rates with maintained benign task completion.","Answer","https://schema.org",{"og:url":51,"og:type":79,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":81,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":84},[85,89,93,97,102,105,110,114,119,122,126],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":86,"show_sort_weight":87,"slug":88},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":90,"show_sort_weight":91,"slug":92},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Exam",70,"exam",{"id":98,"doc_module":4,"doc_module_name":45,"category_name":99,"show_sort_weight":100,"slug":101},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":103,"slug":104},50,"technology",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},7,"Healthcare",40,"healthcare",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":28,"slug":113},8,"Research & Report","research-report",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},9,"Religion & Spirituality",20,"religion-spirituality",{"id":117,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":117,"slug":121},"World Cup","world-cup",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":123,"slug":125},10,"Lifestyle","lifestyle",{"id":127,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":98,"slug":129},19,"General","general"]