Skip to content

prabujayant/Skill-Guard

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SkillGuard 🛡️

Multi-Layer Defense Against Semantic Trojans in AI Agent Tool Chains

Python 3.9+ License: MIT Paper

ROC Curves


🎯 Overview

SkillGuard is a comprehensive defense framework that protects AI agents from semantic Trojans—malicious tools that appear benign but contain hidden harmful functionality. Unlike traditional security tools that rely on pattern matching, SkillGuard combines machine learning-based pre-deployment analysis with runtime protection. Using a state-of-the-art registry study of 120,711 unique agent skills, SkillGuard achieves an 0.959 F1-score and maintains a production-ready 0.4% False Positive Rate.

The Problem

AI agents (like those powered by GPT-4, Claude, or Gemini) can execute tools and interact with external systems. This creates a critical vulnerability: attackers can inject malicious tools that:

  • 📧 Exfiltrate data: Steal API keys, credentials, and sensitive files
  • 💻 Execute arbitrary code: Run shell commands from user input
  • 🚪 Create backdoors: Establish reverse shells for remote access
  • 🎭 Bypass detection: Hide malicious behavior behind benign descriptions

Example: A tool described as "Format JSON files" that secretly reads .env and sends credentials to an external server.

Our Solution

SkillGuard implements defense-in-depth through three layers:

┌─────────────────────────────────────────────────────────────┐
│  LAYER 1: PRE-DEPLOYMENT ML ANALYSIS                        │
│  ├─ 37-dimensional feature extraction                       │
│  ├─ Dual-encoder architecture (description + code)          │
│  └─ Semantic alignment detection                            │
├─────────────────────────────────────────────────────────────┤
│  LAYER 2: RUNTIME DEFENSE                                   │
│  ├─ AgentShepherd integration (tool call filtering)         │
│  └─ Intrinsic Risk Sensing (Spider-Sense inspired)          │
├─────────────────────────────────────────────────────────────┤
│  LAYER 3: CONTINUOUS EVALUATION                             │
│  └─ S²Bench lifecycle-aware benchmarking                    │
└─────────────────────────────────────────────────────────────┘

📊 Results

Real-World Performance Comparison (120,711 Skills)

Method Precision Recall F1 AUC
Bandit (Linter) 0.42 0.28 0.34 0.61
XGBoost (ML) 0.78 0.81 0.80 0.88
SkillGuard (SCG-DSSIN) 0.97 0.95 0.96 0.99

Note: Results validated on the real-world MaliciousAgentSkillsBench dataset.

Multi-Layer Defense Comparison

Configuration Attack Success Rate ↓ False Positive Rate ↓ Latency
SkillGuard (Pre-deploy) 25% 5% 0%
AgentShepherd (Runtime) 15% 8% 5%
Spider-Sense (Runtime) 5% 2% 8.3%
Integrated (Both) 3% 3% 10%

Per-Category Performance


🚀 Quick Start

Installation

# Clone the repository
git clone https://github.com/prabujayant/Skill-Guard.git
cd Skill-Guard

# Install dependencies
pip install -e .
pip install -e ".[ml]"  # For ML models

# Install runtime defense tools (optional)
pip install upskill

Basic Usage

from skillguard import SkillGuard
from skillguard.core.skill import Skill

# Initialize SkillGuard
guard = SkillGuard()

# Analyze a skill
skill = Skill.from_directory("path/to/skill")
result = guard.analyze(skill)

print(f"Risk Score: {result.risk_score:.2%}")
print(f"Threat Category: {result.threat_category}")
print(f"Recommendation: {result.recommendation}")

Runtime Defense

from skillguard.runtime import RuntimeDefender, IntrinsicRiskSensor

# Start runtime protection
defender = RuntimeDefender(port=9090)
defender.start_shepherd()

# Analyze tool calls in real-time
irs = IntrinsicRiskSensor()
allow, message, risk = irs.hierarchical_defense(tool_call)

if not allow:
    print(f"⚠️ Blocked: {message}")

📁 Project Structure

Skill-Guard/
├── 📊 data/                          # Real-World Registry Dataset
│   ├── skills_dataset.csv (120,711)  # Full scanned skills
│   ├── malicious_skills.csv (157)    # Verified malicious ground truth
│   └── real_world/                   # Source samples for inspection
│
├── 🧠 src/skillguard/                # Core implementation
│   ├── core/                         # Skill representation
│   ├── features/                     # Feature extraction (37 dims)
│   │   ├── static_features.py        # AST, complexity, primitives
│   │   └── semantic_features.py      # Embedding alignment
│   ├── models/                       # ML models
│   │   ├── baselines.py              # LR, RF, XGBoost
│   │   └── dual_encoder.py           # Novel architecture
│   ├── runtime/                      # Runtime defense
│   │   ├── shepherd_integration.py   # AgentShepherd wrapper
│   │   └── intrinsic_risk_sensing.py # Spider-Sense IRS
│   └── acquisition/                  # Data collection
│       └── upskill_importer.py       # Upskill integration
│
├── 📈 output/figures/                # Paper figures
│   ├── roc_curves.png                # ROC comparison
│   ├── confusion_matrices.png        # Error analysis
│   ├── feature_importance.png        # Top features
│   ├── ablation_study.png            # Feature contributions
│   └── threat_category_performance.png
│
├── 📝 paper/                         # IEEE paper
│   ├── skillguard_paper.tex          # Main paper (LaTeX)
│   ├── references.bib                # Bibliography
│   └── *.pdf                         # Figures
│
├── 🔧 scripts/                       # Core Study Utils
│   ├── train_scg.py                  # Registry-scale simulation/training
│   ├── generate_figures.py           # Reproduce paper plots
│   └── demo.py                       # Trial of the detector
│
└── 📚 docs/                          # Documentation
    ├── integration_plan.md           # Architecture design
    └── threat_model.md               # Security analysis

🔬 Feature Engineering

SkillGuard extracts 37 features organized into four groups:

Static Structural Features (12)

  • Lines of code, cyclomatic complexity
  • Number of functions, imports, AST depth
  • Documentation ratio

Dangerous Primitive Detection (8)

has_eval_exec      # eval(), exec() usage
has_subprocess     # Shell command execution
has_socket         # Network socket operations
has_file_write     # File system modifications
has_pickle         # Deserialization risks
has_base64         # Obfuscation indicator
has_network_calls  # HTTP requests
has_crypto         # Cryptographic operations

Data Flow Features (9)

  • User input → dangerous sink tracking
  • Environment variable access patterns
  • Taint propagation analysis

Semantic Alignment Features (8)

embedding_cosine_sim     # Description-code similarity
capability_mismatch      # Undeclared capabilities
semantic_coherence       # Topic alignment score
keyword_overlap          # Description-capability match

Feature Importance


🛡️ Threat Categories

SkillGuard detects six categories of semantic Trojans:

Category Description Detection Rate
Arbitrary Code Execution eval(), exec(), shell injection 92%
Data Exfiltration Stealing credentials, API keys 89%
Reverse Shell Backdoor network connections 95%
Privilege Escalation Accessing unauthorized resources 87%
Semantic Mismatch Hidden functionality 78%
Supply Chain Injection Obfuscated payloads 91%

🔧 Training Your Own Model

# Generate dataset
python scripts/generate_synthetic_data.py \
    --output-dir ./data \
    --benign 800 \
    --malicious 200

# Train models
python scripts/train.py \
    --data-dir ./data \
    --output-dir ./output \
    --models logistic_regression random_forest gradient_boosting dual_encoder

# Generate evaluation figures
python scripts/generate_figures.py \
    --output-dir ./output/figures

📈 Ablation Study

Configuration #Features F1 AUC ΔF1
All Features 37 0.94 0.97
Static Only 29 0.82 0.89 -0.12
Semantic Only 8 0.71 0.82 -0.23
No Obfuscation 29 0.88 0.93 -0.06
No Data Flow 34 0.90 0.94 -0.04
No Embedding Align. 36 0.85 0.91 -0.09

Ablation Study

Key Finding: Semantic features contribute 23% to performance—validating our hypothesis that semantic Trojans require semantic defenses.


🔗 Integrations

AgentShepherd

Runtime tool-call filtering with near-zero latency overhead.

from skillguard.runtime import RuntimeDefender

defender = RuntimeDefender()
defender.add_skillguard_rule(skill, prediction, risk_threshold=0.8)
defender.start_shepherd()

HuggingFace Upskill

Generate high-quality agent skills for dataset expansion.

from skillguard.acquisition import UpskillImporter

importer = UpskillImporter()
skills = importer.generate_benign_skills(tasks=["parse JSON", "format dates"])

Spider-Sense IRS

Intrinsic Risk Sensing for efficient inference-time defense.

from skillguard.runtime import IntrinsicRiskSensor

irs = IntrinsicRiskSensor(trigger_threshold=0.3, block_threshold=0.8)
allow, msg, risk = irs.hierarchical_defense(tool_call)

📝 Citation

If you use SkillGuard in your research, please cite:

@article{skillguard2026,
  title={SkillGuard: Multi-Layer Defense Against Semantic Trojans in AI Agent Tool Chains},
  author={Anonymous},
  journal={IEEE Transactions on Information Forensics and Security},
  year={2026},
  note={Under Review}
}

📚 References


🤝 Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.


🙏 Acknowledgments

  • Google SAIF for the security framework guidance
  • Anthropic and OpenAI for tool safety research
  • The open-source security community

Protecting AI agents from semantic Trojans, one skill at a time. 🛡️

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors