SkillMutator: attacks that hide between an agent skill's prose and its code
A June 2026 benchmark shows agent skills can be malicious in the interaction between their natural-language instructions and their scripts — passing both prompt-injection and code review while steering the agent to exfiltrate files.
In brief A benchmark released in June 2026 (arXiv:2606.14154) targets a blind spot in how agent skills are vetted. A skill pairs a natural-language specification with executable scripts, so a malicious skill does not need a poisoned prompt or obviously poisoned code — it can hide the harm in the interaction between the two. The prose describes a benign workflow while implicit directives steer the agent toward exfiltrating sensitive files, even when every script, read on its own, looks harmless. SkillMutator is the first benchmark for install-time detection of these language-and-code cross-modal attacks, and it ships a locally deployable scanner trained to catch them.
What is this?
Agent skills are a fast-growing extension mechanism. As Anthropic described when it published the format as an open standard in December 2025, a skill is a folder containing a SKILL.md file — natural-language instructions plus optional scripts, templates and resources — that an agent discovers and loads at runtime to get better at a specific task. The agent reads the prose to decide what to do and runs the bundled code to actually do it.
That dual nature is exactly what the June 2026 research probes. Because a skill’s real behavior depends on both its language instructions and its executable code, judging whether it is safe requires reasoning across both modalities at once. The paper calls this a language-and-code cross-modal attack surface, and argues it has been largely unmeasured: prior work tended to treat a skill either as a prompt-injection vector (look at the text) or as a static code artifact (scan the scripts), and so missed threats that only exist when the two are combined.
How it works
The attack lives in the gap between reading and running. An attacker ships a skill whose SKILL.md presents a plausible, benign workflow, while embedding implicit directives that reframe how the agent should use the accompanying scripts. Read in isolation, the scripts can look like ordinary utilities; read against the natural-language instructions, they become the mechanism for something the user never asked for — for example, quietly collecting and exfiltrating sensitive files during what is advertised as a routine task.
A text-only prompt-injection scanner does not see the code path being armed. A code-only static scanner does not see the intent encoded in the prose. Each single-modality check clears the skill, and the malicious composition slips through install-time review.
To measure the problem, the authors built SkillMutator, which they describe as the first benchmark for install-time detection of language-and-code cross-modal attacks on agent skills. It emulates an adversarial skill-mutation process spanning 13 attack categories and iteratively rewrites malicious skills using feedback from the scanner it is trying to defeat — so the benchmark stresses detectors against evasive, refined variants rather than a fixed set of easy samples.
On the defensive side, the paper proposes a four-phase reasoning-trajectory distillation framework. It takes the reasoning traces of a strong frontier “teacher” model and distills them, through four structured reasoning stages, into smaller open-weight models. The result is a scanner that can run locally at install time, which matters for two practical reasons the authors call out: it avoids sending potentially sensitive skill content to a third party, and it avoids the API cost of routing every skill install through a frontier model.
Why it matters
Skills are becoming a distribution channel — shared in repositories, bundled into products, passed between teams. The trust decision happens at install time, and today that decision is often made by a human skim or a single-modality scan. This work shows that neither is sufficient: a skill can be adversarially shaped to read clean and scan clean while still being harmful in operation. As skill marketplaces grow, the install-time gate is where a poisoned skill either gets caught or becomes a standing capability inside the agent.
It also reframes vetting. “The text has no injection” and “the code has no known-bad patterns” are two separate green lights that, together, still do not prove a skill is safe. The property that matters is cross-modal: what does this prose plus this code cause the agent to do?
Defenses
- Vet skills cross-modally, at install time. Evaluate the natural-language instructions and the bundled scripts together, asking what behavior the combination induces — not each modality in isolation. This is the specific gap the benchmark exists to measure.
- Prefer a local scanner for skill review. Running detection on-device at install avoids exposing skill contents to third parties and removes the per-install frontier-model cost — the exact trade-off the paper’s distilled open-weight scanner targets.
- Treat installed skills as untrusted code with an intent. Apply supply-chain discipline: pin and review versions, restrict which skills an agent may load, and sandbox skill execution so a script cannot reach secrets or the network unless the task genuinely requires it.
- Constrain capabilities the prose can invoke. Least-privilege on file access and egress limits what a benign-looking script, armed by hidden directives, can actually exfiltrate.
- Stress-test detectors against evasive variants. A scanner that catches obvious malicious skills may fail against ones refined with scanner feedback. Evaluate detection against adversarially mutated skills, not a static corpus.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| SkillMutator paper | arXiv:2606.14154 | 2026-06 | First benchmark for install-time detection of language-and-code cross-modal attacks on agent skills |
| Attack surface | arXiv:2606.14154 | 2026-06 | 13 attack categories; malicious skills iteratively refined using scanner feedback |
| Defense | arXiv:2606.14154 | 2026-06 | Four-phase reasoning-trajectory distillation into open-weight models → locally deployable scanner |
| Agent Skills format | Anthropic engineering | 2025-12 | Skills pair SKILL.md natural-language instructions with executable scripts; open standard |
The lesson is not that agent skills are unsafe to use. It is that a skill’s safety is a property of its language and its code considered together, and that the moment to check it is before it is installed — with review that reasons across both modalities, not two single-modality passes that each wave it through.