LLM Agent Skill Composition Risks
Abstract
Skills are becoming the capability layer through which LLM agents turn plans into actions, but their use also introduces security risks, including data leakage, unauthorized operations, and tool misuse. Existing skill vetting typically reviews each skill in isolation, whereas real agent tasks often involve multiple skill invocations across a shared execution context. A risk therefore emerges: one skills output, trust signal, authorization cue, or side effect can be carried into a later skill invocation. We define this resulting gap as **SCR** ( **S** kill **C** omposition **R** isk): skills that appear benign under isolated evaluation can become harmful along an activated composition path. **SCR-Bench** ( **S** kill **C** omposition **R** isk Bench) is introduced to evaluate this risk in controlled, sandboxed skill environments. Instead of relying on the textual intent or surface-level behavior of individual skills, SCR-Bench records downstream state changes and path-level outcomes across activated skill paths. SCR-Bench contains three sub-benchmarks: **SCR-CapFlow** for capability-flow composition, **SCR-TrustLift** for trust-transfer composition, and **SCR-AuthBlur** for authorization-confusion composition. Across SCR-Bench, composed skill paths expose risks that are largely absent under isolated evaluation: in SCR-CapFlow, ASR reaches 33.6% under composition, compared with near-zero isolated baselines; in SCR-TrustLift, ASR reaches near saturation above 96.5% on four of five backends; and in SCR-AuthBlur, the risky-approval rate increases by 71.8% relative to the L0 isolated baseline under the L1 context setting. The experimental results reveal the core pattern of Benign in Isolation, Harmful in Composition, showing that agent skill security should be assessed at the level of activated paths rather than isolated artifacts. By introducing SCR and SCR-Bench, this work aims to support path-aware risk evaluation and defense in LLM agent skill ecosystems. Our benchmark is available at `https://github.com/saint-viperx/SCR_Bench` .