Skip to main content
Writing
·Paper Review·10 min read

Skills That Don't Exist: A Large-Scale Study of Hallucinated Skill Recommendation in LLM Agents

As autonomous AI agents shift from static code generation to dynamic capability acquisition, they increasingly rely on modular plug-ins or "skills"—collections of natural-language instructions and tools typically stored in standard SKILL.md configurations.

Generated by my automated review pipeline and spot-checked before publication — how it works.

Contents

Image generated by AI

TLDR

  • What: Attackers can pre-register malicious configurations on open agent registries under specific, predictable, and persistently hallucinated skill names, transforming natural language generation flaws into a zero-click software supply-chain hijacking vector.
  • Who's at risk: Autonomous LLM coding assistants and developer agents (e.g., Claude Code, Codex, OpenClaw, OpenCode) that dynamically fetch and install modular capabilities from unverified registries like ClawHub and SkillsMP.
  • Key number: Across 15,000 prompts, every single evaluated model and agent configuration hallucinated, with an average hallucination rate of 36.9% for agents, rising to 43.1% on real-world developer queries and peaking at 50.1% on Stack Exchange.

As autonomous AI agents shift from static code generation to dynamic capability acquisition, they increasingly rely on modular plug-ins or "skills"—collections of natural-language instructions and tools typically stored in standard SKILL.md configurations. Popularized by Anthropic’s Agent Skills standard in late 2025 and adopted by platforms like OpenAI, developer environments now routinely delegate the discovery and installation of these skills to the agent itself.

However, a critical security study by Yuan et al. (arXiv:2607.12340v1) reveals that this delegation rests on a dangerous assumption: that recommended tools actually exist. In reality, LLM agents consistently invent plausible-sounding but non-existent skill names. Because open registries rarely verify publishers, an adversary can query public instances of these agents to harvest persistent hallucinations, register malicious payloads under those names, and sit back as victim agents automatically fetch and execute them via prompt injection or direct code execution.


Threat Model

Attacker Ordinary external actor with standard black-box API access to public LLMs and the ability to register repositories on open public skill registries (e.g., ClawHub, SkillsMP).
Victim LLM-based autonomous coding agents (e.g., Claude Code, OpenClaw, OpenCode) configured to fetch and execute recommended skills to solve complex developer queries.
Goal Achieve persistent execution of malicious instructions inside the victim agent's execution context, allowing data exfiltration, system access, or workspace compromise.
Budget Minimal cost. Requires only querying public APIs to gather common hallucinated names, creating matching public repositories, and registering them on unverified catalogs.
                       [ 1. Attacker queries public agents ]
                                       │
                                       ▼
                       [ 2. Collects recurrent fake names ]
                                       │
                                       ▼
                     [ 3. Pre-registers malicious SKILL.md ]
                         (e.g., "ghost-skill" on ClawHub)
                                       │
               ┌───────────────────────┴───────────────────────┐
               ▼                                               ▼
 [ 4. Victim asks agent for task ]               [ 5. Agent recommends "ghost-skill" ]
               │                                               │
               └───────────────────────┬───────────────────────┘
                                       ▼
                    [ 6. Agent installs and runs payload ]
                    (Unrestricted prompt injection / code exec)

Background & Problem Setup

The threat of LLM generation errors hijacking the software supply chain is not entirely new. Prior literature has explored package hallucination in code generation contexts (e.g., PyPI and npm package squatting). However, agent skill hallucination presents a fundamentally different challenge because of the execution environment and trust boundaries.

The table below contrasts the threat of Skill Name Hallucination against related vulnerabilities:

Dimension Skill Name Hallucination (Yuan et al.) Package Hallucination (Spracklen et al. [51]) PoisonedRAG (Zou et al. [58])
Primary Target Natural language SKILL.md instructions in agent frameworks. Compiled/interpretable code packages (npm, PyPI). Vector databases and semantic search indices.
Execution Vector The agent recommending the skill is the same agent that automatically installs and executes it. Developer manually runs a build tool or dependency resolver. The LLM retrieves poisoned text chunks during retrieval generation.
Attacker Payload Plain-language instructions (indirect prompt injection) or system commands. Executable code (Python, JS, binary exploits). Adversarial token sequences or prompt overrides.
Defense Type Cryptographic registry validation, namespace reservation. Typosquatting filters, metadata analysis, code signing. Embedding guardrails, query purification, token filters.

Methodology

To measure the exploitability of this attack vector, the authors designed a three-stage measurement pipeline:

  1. Prompt Construction: Synthesized a dataset of 15,000 prompts split into two domains:
    • Community Prompts (5,000): Real-world technical queries mined from Stack Exchange, Reddit, and Hacker News containing intent for skill/tool discovery.
    • Skill Description Prompts (10,000): Formulated from real, highly rated skills indexed on SkillsMP, used to test whether the agent can locate a known-to-exist skill from its description.
  2. Recommendation Generation: Evaluated 12 configurations spanning 4 standalone LLM APIs (GLM-4.5-Air, GPT-5.4-mini, Claude Sonnet 4.6, Claude Opus 4.7) and 8 agent configurations (Claude Code, Codex, OpenClaw, and OpenCode powered by various open-weight backends like Qwen 3.5 9B and Granite 3.3 8B).
  3. Skill Name Validation: Passed generated names through a strict two-stage verification process:
    • Registry Verification: Checked against a broad master index of over 1.7 million skills scraped from SkillsMP, ClawHub, and developer repos.
    • Expanded GitHub Verification: For any unresolved name, the pipeline queried the GitHub Code Search API to check if a corresponding SKILL.md file existed with matching front-matter metadata, ensuring newly created real skills were not misclassified as hallucinations.

The primary metric, Hallucination Rate, is calculated over unique recommended skill names (excluding extraction artifacts like paths or URLs) to avoid duplicate counting:

Hallucination Rate=rR1[r is hallucinated]R\text{Hallucination Rate} = \frac{\sum_{r \in R} \mathbb{1}[r \text{ is hallucinated}]}{|R|}

Key Results

The evaluation yielded a clear, concerning result: every single configuration evaluated hallucinates skill names.

As detailed in Table 2, hallucination rates averaged 36.0% for standalone LLMs and 36.9% for agents.

Per-Configuration Hallucination & Output Rates

System Type Configuration / Model Web Search Status Unique Recomm. Verified Real Hallucinated Hallucination Rate (%) No-Output Rate (%)
LLM API Claude Sonnet 4.6 Enabled 6,039 2,970 2,982 49.4% 26.6%
LLM API GPT-5.4-mini Enabled 5,602 5,207 363 6.5% 52.5%
LLM API GLM-4.5-Air Enabled 5,771 2,695 2,965 51.4% 46.0%
LLM API Claude Opus 4.7 Disabled 2,051 1,292 753 36.7% 56.8%
Agent Claude Code Sonnet 4.6 Enabled 234 153 81 34.6% 90.9%
Agent OpenClaw GPT-5.4-mini SearXNG (MCP) 4,677 3,355 1,193 25.5% 56.1%
Agent OpenCode GPT-5.4-mini SearXNG (MCP) 1,231 898 287 23.3% 92.2%
Agent Codex GPT-5.3-Codex Enabled 3,770 2,601 1,100 29.2% 76.2%
Agent OpenCode Ministral-3 8B SearXNG (MCP) 4,830 1,276 2,994 62.0% 81.8%
Agent OpenCode Granite 3.3 8B SearXNG (MCP) 4,874 2,027 2,693 55.3% 69.0%
Agent OpenCode Qwen 3.5 9B SearXNG (MCP) 4,551 2,716 1,719 37.8% 80.0%
Agent OpenCode Nemotron-Cascade-2 30B SearXNG (MCP) 4,389 3,094 1,208 27.5% 69.3%

Critical Analytical Insights

  • The Illusion of Safety: Standalone GPT-5.4-mini achieves a deceptively low 6.5% hallucination rate. However, this is because it returns no output for 52.5% of the prompts. Similarly, Claude Code yields a 90.9% no-output rate, recommending only 234 unique names across the entire corpus. When these conservative systems do venture an answer, a significant fraction remains completely fabricated.
  • The Failure of Web Search: Intuitively, giving agents access to web search tools should ground their recommendations. In practice, search tools fail to prevent hallucinations. Models search for their hallucinated phrases (such as file-system-operations or text-editor-tool), receive abundant web results discussing those concepts, and misinterpret those results as confirmation that a package with that exact name exists in the registry.
               [ LLM generates "file-system-operations" ]
                                   │
                                   ▼
                [ Search query returns conceptual blogs ]
                                   │
                                   ▼
              [ LLM assumes: "Conceptual blogs exist, ]
                 therefore registered skill must exist"
  • Evasion of Standard Typosquatting Filters: Traditional defenses look for minor misspellings (Levenshtein distance of 1 or 2). As Figure 9 shows, the median edit distance of hallucinated skill names from any real skill is 6 (with a mean distance of 6.85). Because models generate semantically logical capability descriptions (e.g., kubernetes-progressive-delivery) rather than typos, traditional typo-filters are blind to them.

Defense Evaluation: The Security vs. Utility Trade-off

The researchers systematically evaluated four model-level defensive strategies on a subset of 2,000 prompts: RAG-grounding, Self-Refinement, combined RAG + Self-Refinement, and Multi-Model Voting Consensus.

Mitigation Performance & Utility Impact

Defense Strategy Average Hallucination Rate Average No-Output Rate Best Model Real-Skill Recall
Baseline 40.8% 73.9% ~20%
Self-Refinement 33.2% 87.4% Significant utility drop
RAG Grounding 3.2% 68.0% < 16% (1 in 6)
RAG + Self-Refinement 2.7% 79.4% Critical utility drop
Voting (N=2 Consensus) Eliminates 92.8% of hallucinations N/A 44.8% (of real skills retained)

While RAG successfully drops the average hallucination rate from 40.8% to 3.2%, it cripples the agent's utility. Even the most optimized RAG-defended agent recommends the correct skill only about 16% of the time (one out of every six times). The systems become "safe" mainly by refusing to provide answers, rendering them largely useless for discovery.


Limitations & Open Questions

  1. Assumed Sandbox Exploitation Path: The study demonstrates that Claude Code can be tricked into successfully searching for, pulling down, and installing an attacker-controlled mock capability (classification-model-builder). However, the authors ethically omitted a full end-to-end sandbox breakout or compromise payload, leaving the exact runtime execution limits of modern agent sandboxes open for further study.
  2. Web-Search Grounding Logic: The failure of web-search grounding stems from the agent's inability to distinguish between discussions about a topic and the formal existence of a package. A highly specialized agent web-search module restricted specifically to querying registry API endpoints remains unstudied here.
  3. Registry-Level Countermeasures: The study focuses primarily on model-level mitigations, proving they are insufficient. It highlights the urgent need for structural, registry-level solutions but does not evaluate their operational performance at scale.

What Practitioners Should Do

If you deploy, develop, or manage autonomous LLM agents (such as Claude Code, Codex environments, or custom OpenClaw/OpenCode agents), implement these controls immediately:

1. Disable Auto-Installation of External Capabilities

Never allow agents to automatically run installation scripts based on generated recommendations. Enforce a strict interactive prompt that displays the repository owner and source URL before pulling remote configurations.

2. Implement Strict Exact-Match White-listing for Tool Discovery

Instead of permitting the LLM to generate raw strings as tool names, decouple discovery from generation. Query an explicit, local, or verified database of available tools using exact-match schemas, and intercept any agent recommendation that fails registry-level exact-match verification.

3. Pre-emptively Block Semantic Capability Names (Namespace Reservation)

Registry maintainers should proactively register and reserve generic capability terms that models are highly prone to hallucinating. Prevent public publishers from registering packages named:

  • file-system-operations
  • text-editor-tool
  • classification-model-builder
  • Common utility titles mimicking OS configurations.

4. Enforce Verified Recommendation Pipelines and Signature Checks

Treat agent skills like third-party software dependencies. Enforce strict signature validation and cryptographic verification at the registry level. As recommended by the authors, closing this attack vector ultimately requires registry-level name reservation and verified recommendation pipelines to ensure agents only execute trusted code.


The Takeaway

Skill name hallucination represents a systemic vulnerability where the creative capacity of LLMs conflicts directly with the strict predictability required for software supply chains. Relying on "smarter" base models or multi-agent verification will not close this loop; as long as registries trust anonymous publishers and agents blindly execute natural-language tools, attackers can exploit these persistent hallucinations. True mitigation demands moving away from open-ended agent autonomy toward rigid, verified, and signature-validated recommendation pipelines.


Den's Take

This paper exposes a glaring, systemic vulnerability in how we design autonomous environments. We’ve rushed to give developer agents the autonomy to dynamically fetch modular capabilities, yet we’ve failed to secure the basic discovery mechanism. What concerns me most isn't just that models hallucinate, but the sheer predictability and persistence of these generation errors. An average hallucination rate of 36.9% for agents—peaking at a staggering 50.1% on real-world Stack Exchange queries—means attackers don't need sophisticated exploits; they just need to pre-register squatting configurations on unverified registries like ClawHub or SkillsMP.

This threat aligns closely with the dynamic execution and supply-chain vulnerabilities identified by Qu et al. [43], who studied malicious logic embedded in skill documentation, and Liu et al. [31], who analyzed agent skills vulnerabilities at scale.

If we continue to let autonomous systems resolve and execute unverified SKILL.md configurations without cryptographic verification or strict sandboxing, we are leaving the door wide open for zero-click supply-chain hijacking. The industry must start treating dynamic skill loading with the same hostility as unvalidated user input.

Share

Comments

Page views are tracked via Google Analytics for content improvement.