system: OPERATIONAL
← back to all hacks
SUPPLY CHAIN MEDIUM NEW

Agent skills carry hidden dependencies: transitive risk in skill supply chains

A July 2026 study of 1.43 million agent skills finds most security-relevant risk hides in transitive dependencies a reviewer never sees by reading the skill file alone.

2026-07-06 // 6 min affects: claude-skills, openai-codex-skills, llm-agents, mcp

What is this?

Agent skills — the reusable SKILL.md-style bundles that package operational know-how for LLM agents like Claude Code and OpenAI Codex — are usually reviewed as if they were single, self-contained documents. A study published on arXiv on 1 July 2026, Skills Are Not Islands: Measuring Dependency and Risk in Agent Skill Supply Chains (arXiv:2607.01136), argues that this mental model is wrong and increasingly dangerous. Skills are dependency-bearing artifacts: they reuse other skills, pull in software packages (npm, PyPI), and invoke external services (MCP servers). The authors snapshotted a public skill registry on 6 June 2026 — which listed 1,640,440 skills — and analysed the 1,434,046 they could download (about 87.4% of the listing), a corpus that had grown roughly ninefold in three months.

How it works

The paper builds a tool that reconstructs a skill’s full dependency graph from the natural-language install and usage instructions inside it, producing a “bill of materials” for each skill. Running it across the corpus reveals that a skill’s declared surface hides a much larger real one.

Direct dependencies are common but not the whole story: about 8.9% of skills directly depend on another skill, 15.5% on a package, and 22.3% on an external service. The problem is amplification. Because skills reuse other skills recursively, a single root skill can inherit a sprawling inventory it never names. The authors measure transitive-to-direct amplification ratios reaching a maximum of roughly 979× overall and 1,754× for packages; one orchestrator-style skill declaring only three skill dependencies ends up importing 1,938 components. Reuse is also highly concentrated — a narrow core of skills and packages is depended on by everything else, with inequality (Gini) even higher than in the npm ecosystem — so a handful of nodes are effective single points of failure. Nearly a third of dependency-bearing skills sit in dependency cycles or clusters, where a risky instruction in one member propagates to every skill that touches the cluster.

Why it matters

The security consequence is that reading a skill document is not enough. The authors report that 60–78% of security-relevant signals — remote payload execution, dangerous code patterns, prompt-injection text, credential-exfiltration and persistence behaviour — are inherited only through transitive dependencies, invisible to anyone inspecting the root skill. For a widely reused package the transitive-only share hits 98%, and for flagged vulnerable MCP services it reaches 93%. In concrete terms: agents run with real privilege (file I/O, shell, network), skills are installed with little mandatory review, and the actually risky code often lives two or three hops away from the file a human approved.

This is a measurement study, not a report of a new exploit, and the authors are careful to call their patterns “audit signals” rather than confirmed vulnerabilities. But it is not purely theoretical — while mapping the graph they found copies of previously reported malicious skills still persisting inside downstream repositories, and reported them to the relevant developers.

Defenses

The core lesson is to treat skills like any other software supply chain, and to resolve the whole graph before trusting the root.

Resolve dependencies before review, not just the skill file. Any vetting — human or automated — that stops at the root SKILL.md will miss most of the risk. Expand and inspect skill-to-skill, package, and service edges transitively.

Adopt typed dependency manifests. The authors recommend distinguishing skill, package, and service dependencies explicitly, each with source and version, so that what a skill actually pulls in is declarable and auditable rather than buried in prose.

Pin versions and keep lockfiles. Much of the inherited risk traces back to install instructions with no version pinning. Lockfile-like records that fix versions, source repositories, and paths let downstream users reproduce and audit the exact graph they are running.

Run a dependency audit command. By analogy with npm audit, skill package managers and registries should resolve the full graph and flag known-bad skills, vulnerable packages, and risky MCP services with the evidence path — including dependencies reached only transitively.

Manage clusters as first-class objects. Because tightly-coupled skill clusters share blast radius, treat cluster membership as a governance unit and verify compatibility and provenance at install time.

Status

AspectDetail
SourceSkills Are Not Islands (arXiv:2607.01136), submitted 1 July 2026
ClassSupply-chain measurement of agent skill ecosystems — transitive dependency risk
Corpus1,434,046 skills (~87.4% of a 1,640,440-skill registry snapshot, 6 June 2026)
Key finding60–78% of security-relevant signals inherited only via transitive dependencies
Related workSupply-chain poisoning of coding-agent skill ecosystems (arXiv:2604.03081)
NatureResearch/measurement finding — no CVE; audit signals, not confirmed in-the-wild exploitation of every flagged case

Sources