Agent Skills is an emerging open standard that defines a modular, filesystem-based packaging format enabling LLM-based agents to acquire domain-specific expertise on demand. Despite rapid adoption across multiple agentic platforms and the emergence of large community marketplaces, the security properties of Agent Skills have not been systematically studied. This paper presents the first comprehensive security analysis of the Agent Skills framework. We define the full lifecycle of an Agent Skill across four phases -- Creation, Distribution, Deployment, and Execution -- and identify the structural attack surface each phase introduces. Building on this lifecycle analysis, we construct a threat taxonomy comprising seven categories and seventeen scenarios organized across three attack layers, grounded in both architectural analysis and real-world evidence. We validate the taxonomy through analysis of five confirmed security incidents in the Agent Skills ecosystem. Based on these findings, we discuss defense directions for each threat category, identify open research challenges, and provide actionable recommendations for stakeholders. Our analysis reveals that the most severe threats arise from structural properties of the framework itself, including the absence of a data-instruction boundary, a single-approval persistent trust model, and the lack of mandatory marketplace security review, and cannot be addressed through incremental mitigations alone.

翻译：代理技能是一种新兴的开放标准，定义了基于文件系统的模块化打包格式，使基于大语言模型的代理能够按需获取特定领域专业知识。尽管该标准已在多个代理平台得到快速采用，并涌现出大型社区市场，但代理技能的安全属性尚未得到系统研究。本文首次对代理技能框架进行了全面的安全分析。我们将其完整生命周期划分为四个阶段——创建、分发、部署与执行——并识别了各阶段引入的结构性攻击面。基于此生命周期分析，我们构建了一个包含七个类别、十七种场景的威胁分类体系，这些场景跨越三个攻击层面，其依据既来自架构分析也来自真实世界证据。我们通过分析代理技能生态系统中的五个已确认安全事件验证了该分类体系。基于这些发现，我们讨论了各类威胁的防御方向，指出了开放研究挑战，并为利益相关方提供了可操作建议。我们的分析揭示，最严重的威胁源于框架自身的结构特性，包括数据与指令边界的缺失、单一批准的持久信任模型以及缺乏强制性的市场安全审查，这些问题无法仅通过增量缓解措施来解决。