技能非孤岛:测量智能体技能供应链中的依赖与风险

Skills Are Not Islands: Measuring Dependency and Risk in Agent Skill Supply Chains

精选理由

这篇论文像给智能体技能装了依赖扫描仪,用SBOM思路挖出143万+技能里的隐藏风险和安全漏洞。

AI 摘要

论文提出Agent Skill Supply Chains (ASSCs)概念,用于描述智能体技能的混合依赖图。作者设计SkillDepAnalyzer工具,在SKILL-DEP基准上准确恢复元数据和依赖图,优于LLM基线及SBOM工具。对143万+技能分析发现四种结构模式:元数据激活就绪但治理不足、依赖图跨技能包服务、递归复用扩展依赖、依赖集群围绕相关工作流。研究指出仅检视技能会遗漏依赖中的安全信号,并发现已知恶意技能在ASSCs中的持续存在。建议引入类型化依赖清单、依赖集群管理、风险警告命令和锁文件记录。

原文 · arXiv cs.AI

Skills Are Not Islands: Measuring Dependency and Risk in Agent Skill Supply Chains

Agent skills package reusable operational knowledge for Large Language Model (LLM) agents, yet as they grow in scope, they become dependency-bearing artifacts whose identities, versions, and provenance remain implicit. This opacity already causes duplicated dependencies and inconsistent installations, exposing a gap that dependency management has yet to close. We introduce Agent Skill Supply Chains (ASSCs) to characterize mixed skill-package-service dependency graphs and help close this gap. Borrowing from Software Bill of Materials (SBOMs), we design SkillDepAnalyzer to capture natural-language dependency evidence and model skills as dependency-bearing artifacts. On the SKILL-DEP benchmark, SkillDepAnalyzer recovers skill metadata and dependency graphs accurately and comprehensively, substantially outperforming an LLM-based baseline and package-centric SBOM tools. Applying SkillDepAnalyzer to over 1.43 million skills, we obtain ASSCs and explore their structural diversity and security signals. We find four structural patterns: skill metadata is activation-ready but governance-poor; dependency graphs span skill, package, and service dependencies with concentrated reuse; recursive skill reuse expands dependency graphs and creates hidden package inventory; and skill dependency clusters form around related workflows. We also find that inspecting a skill alone misses security-relevant signals hiding in its dependencies. By analyzing ASSCs, we identify and report known malicious skills persisting in ASSCs to their developers. Based on these findings, we recommend typed dependency manifests, first-class dependency-cluster management, risk-warning audit commands for skill infrastructure maintainers, and lockfile-like records for skill developers.