How hackers hijack AI agent skills to cause delayed damage

Agents rely on third-party skills as building blocks, creating a security blind spot. This work maps the full lifecycle of skill-based attacks—from immediate poisoning to time-delayed sabotage that mutates itself—and categorizes 12 risk types across data, system, and autonomy layers. They built an automated pipeline to generate 879 adversarial examples across 71 real skills; most current defenses fail, and many apparent successes are false: agents simply ignore the poisoned file rather than resist it.