BadSkill: Backdoor Attacks on Agent Skills via Model-in-Skill Poisoning

Researchers demonstrate BadSkill, a backdoor attack that exploits AI agent ecosystems by embedding malicious logic in seemingly benign third-party skills. The attack achieves up to 99.5% success rate by poisoning bundled model artifacts to activate hidden payloads when specific trigger conditions are met, revealing a critical supply-chain vulnerability in extensible AI systems.

BadSkill exposes a fundamental architectural weakness in AI agent ecosystems that goes beyond traditional security concerns. As AI systems become increasingly modular with installable skills and plugins, the integration of pre-trained model artifacts within third-party extensions creates an attack surface that existing security frameworks don't adequately address. The research demonstrates that adversaries can craft skills that pass behavioral inspection while harboring models trained with semantic triggers—meaning malicious payloads activate only under specific input conditions that might go undetected during normal usage or limited testing.

This threat emerges from the broader trend of democratizing AI capabilities through composable, installable components. Organizations and individuals are building ecosystem-dependent AI systems similar to smartphone app stores or browser extensions, creating natural incentive structures for third-party skill development. However, unlike traditional software dependencies where code can be audited, verifying the safety of bundled neural network weights remains computationally intractable at scale. The research shows the attack maintains effectiveness across model sizes (494M to 7.1B parameters) and requires only 3% poison rate to achieve 91.7% attack success, demonstrating practical exploitability.

The implications ripple across AI infrastructure providers, enterprise deployments, and developers building on agent platforms. Organizations cannot reliably vet third-party skills without deep model inspection capabilities most lack. This creates market pressure for provenance verification tools, model transparency standards, and behavioral sandboxing solutions. The findings suggest that agent ecosystem platforms will need stronger verification mechanisms before widespread enterprise adoption, potentially slowing the deployment of extensible AI systems in security-sensitive contexts.

• →BadSkill achieves up to 99.5% attack success rate by embedding backdoors in AI agent skill models with semantic trigger conditions
• →The attack remains effective with minimal poisoning (3% poison rate yields 91.7% success) across eight model architectures from five families
• →Third-party model-bearing skills represent a distinct supply-chain vulnerability not addressed by existing prompt injection or plugin security frameworks
• →Organizations lack practical tools to audit neural network weights bundled in installable skills, creating significant verification gaps
• →The research motivates stronger provenance verification, behavioral vetting standards, and model transparency requirements for extensible AI ecosystems