system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

Locate-and-Judge: attention-based detection of malicious agent skills

A June 2026 paper scans about 134,000 agent skills across three marketplaces and confirms 131 live malicious ones, using instruction-following attention to surface payloads hidden inside benign-looking skill files.

2026-07-04 // 6 min affects: llm-agents, agent-skills, skill-marketplaces, coding-agents

What is this?

A paper published on arXiv on 22 June 2026, “Detecting Malicious Agent Skills in the Wild using Attention” (University of Luxembourg), studies a supply-chain surface that has grown quickly and is barely defended: agent skills. A skill is a file-based package — a SKILL.md file with natural-language instructions and optional helper code — that an LLM agent loads on demand and executes with the user’s privileges. Skills circulate through third-party marketplaces, so an agent routinely acts on instructions written by an unknown author. A single malicious skill can exfiltrate data, hijack the agent, or persist as a foothold that activates only under specific triggers.

The authors make two contributions. First, a detection method, Locate-and-Judge, cheap enough to audit a whole marketplace rather than a sample. Second, and more sobering, a scan of roughly 134,000 live skills from three public marketplaces (Lobehub, Skills.sh, Clawhub.ai) that surfaced 131 human-confirmed malicious skills — installable today — a substantial share of which slip past existing scanners. The work is defensive by construction: it detects bad skills before they reach an agent’s context, and the authors disclosed every confirmed finding to the marketplaces before publishing.

How it works

The core difficulty is that classic prompt-injection defenses do not transfer to skills. Those defenses assume a boundary between trusted instructions and untrusted data. A skill has no such boundary — it is entirely a body of instructions, so a malicious command sits among many legitimate ones and inherits their authority. Attention-based injection detectors, which flag content that captures a model’s instruction-following attention, also degrade here because attention to instructions is expected everywhere in a skill.

Locate-and-Judge recovers the signal by separating localization from classification. A deterministic parser first splits the skill along its structural seams (headings, paragraphs, lists, code blocks, metadata). A lightweight “locator” — a small reader model — is then run over the whole skill and ranks each span by how strongly it draws instruction-following attention, keeping only the top handful. The premise is narrow but effective: for an injection to work, it must capture the reader’s attention, so it will rank among the most salient spans even when buried in benign text. Finally, a stronger zero-shot “judge” reads only those retained spans and decides whether any carries a malicious instruction; the skill is flagged if the top score crosses a calibrated threshold. Concentrating the expensive judgment on a few high-attention spans is what makes marketplace-scale scanning affordable.

Why it matters

The numbers are the point. The full marketplace scan cost about 34 dollars and sent roughly 2.8 times fewer tokens to the judge than reading every skill in full, while recovering more of the threats that matter. Of the 131 confirmed malicious skills, 82 were “hidden” — disguised as ordinary tools while carrying a payload. The method recovered 83% of that hidden class versus 45% for a full-content scan by the same judge, and the production scanners it was compared against missed almost all of the non-obvious cases. Among the disguised skills, the dominant goals were credential and secret theft and malicious installers that fetch and run code at install time; the paper describes real examples such as a “deployment prep” utility that sweeps .env, .pem, and .key files and uploads them without a prompt, and a “coding assistant” that decodes a base64 dropper to a curl | bash one-liner.

The broader lesson is that skill marketplaces are a live, under-audited supply chain, and the tools most teams rely on to vet skills are calibrated for keywords and clean instruction/data boundaries that hidden skills are written to defeat.

Defenses

Treat every third-party skill as untrusted code. A skill runs with the user’s privileges and its instructions carry real authority. Vet it before it ever loads into an agent’s context, not after.

Do not rely on keyword or regex scanners alone. Hidden malicious skills are authored specifically to defeat lexical patterns, and in this study the majority of them evaded production keyword scanners. Pair lexical checks with a model that reasons about intent.

Prefer semantic, span-level review at scale. The practical takeaway from Locate-and-Judge is that you can concentrate expensive analysis on the few spans that actually draw instruction-following attention, which makes reviewing a large catalog affordable rather than aspirational.

Watch for exfiltration and install-time execution. Credential sweeps of secret-bearing files and installers that fetch code from hard-coded IPs were the two dominant patterns. Flag skills that read .env/key material or run network installers during setup.

Keep a human in the loop on flagged skills. The method deploys at a conservative, review-every-alarm threshold. Automated detection narrows the haystack; a person should still confirm before allow-listing.

Account for what static review misses. Per-skill analysis does not catch cross-skill chains (a benign skill that tells the agent to install a malicious one), and single-line inline installers can slip past span segmentation. Combine static vetting with runtime monitoring and least-privilege isolation.

Status

ItemReferenceNotes
Core paperarXiv:2606.23416”Detecting Malicious Agent Skills in the Wild using Attention”, 22 June 2026
MethodSame paperLocate-and-Judge: attention locator (small reader LLM) + zero-shot judge on top-K spans
Wild scanSame paper~134k skills, 3 marketplaces; 131 confirmed malicious (82 hidden), ~83% precision, ≈$34
CostSame paper~2.84× fewer judge-input tokens than full-content scanning
RelatedarXiv:2602.06547”Malicious Agent Skills in the Wild” — large-scale empirical study (Feb 2026)
RelatedarXiv:2606.07131MalSkillBench — runtime-verified benchmark of malicious agent skills (June 2026)

The durable takeaway is that the skill marketplace is now a first-class supply-chain surface. Defenses built for the trusted-instruction / untrusted-data split do not apply when the whole artifact is instructions, so vetting has to reason about intent at the span level — cheaply enough to cover an entire catalog, and backed by human review of what it flags.

Sources