Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study
Summary: arXiv:2604.03070v1 Announce Type: cross
Abstract: Third-party skills extend LLM agents with powerful capabilities but often handle sensitive credentials in privileged environments, making leakage risks poorly understood. We present the first large-scale empirical study of this problem, analyzing 17,022 skills (sampled from 170,226 on SkillsMP) using static analysis, sandbox testing, and manual inspection. We identify 520 vulnerable skills with 1,708 issues and derive a taxonomy of 10 leakage patterns (4 accidental and 6 adversarial).
The study reveals critical insights into the nature and mechanisms behind credential leakage in LLM agent skills. Our findings highlight that:
- Cross-Modal Leakage: Leakage is fundamentally cross-modal, with 76.3% of issues requiring a joint analysis of code and natural language. This illustrates the complex interplay between code execution and natural language processing in LLM environments.
- Prompt Injection Risks: A mere 3.1% of leaks arise from prompt injection attacks, emphasizing the need for robust input validation and sanitization measures to prevent unauthorized access to sensitive information.
- Debug Logging Vulnerabilities: Debug logging emerged as the primary vector for credential leakage, with print statements and console.log commands responsible for 73.5% of leaks. This is largely due to stdout exposure to LLMs, which can inadvertently disclose sensitive data.
- Exploitable and Persistent Leaks: A staggering 89.6% of leaked credentials are found to be exploitable without requiring any special privileges. Additionally, leaked secrets tend to be persistent, as forks of vulnerable skills often retain these credentials even after upstream fixes have been applied.
Following the disclosure of our findings, all identified malicious skills were promptly removed from the platform, and 91.6% of hardcoded credentials were successfully fixed. These actions underscore the immediate impact of our research and the importance of proactive security measures in the development of third-party skills.
To support ongoing research in this area, we are releasing our comprehensive dataset, detailed taxonomy of leakage patterns, and a detection pipeline. These resources are intended to assist developers, researchers, and organizations in understanding the risks associated with credential management in LLM environments and in developing more secure applications.
In conclusion, our large-scale empirical study sheds light on the critical issue of credential leakage in LLM agent skills. By analyzing a substantial dataset and identifying key vulnerabilities, we aim to foster a deeper understanding of the security challenges that accompany the integration of third-party skills into LLMs. Continued research and vigilance will be vital in mitigating these risks and ensuring the safe and secure deployment of AI technologies.