Multi-Layer Defense Against Semantic Trojans in AI Agent Tool Chains
SkillGuard is a comprehensive defense framework that protects AI agents from semantic Trojans—malicious tools that appear benign but contain hidden harmful functionality. Unlike traditional security tools that rely on pattern matching, SkillGuard combines machine learning-based pre-deployment analysis with runtime protection. Using a state-of-the-art registry study of 120,711 unique agent skills, SkillGuard achieves an 0.959 F1-score and maintains a production-ready 0.4% False Positive Rate.
AI agents (like those powered by GPT-4, Claude, or Gemini) can execute tools and interact with external systems. This creates a critical vulnerability: attackers can inject malicious tools that:
- 📧 Exfiltrate data: Steal API keys, credentials, and sensitive files
- 💻 Execute arbitrary code: Run shell commands from user input
- 🚪 Create backdoors: Establish reverse shells for remote access
- 🎭 Bypass detection: Hide malicious behavior behind benign descriptions
Example: A tool described as "Format JSON files" that secretly reads .env and sends credentials to an external server.
SkillGuard implements defense-in-depth through three layers:
┌─────────────────────────────────────────────────────────────┐
│ LAYER 1: PRE-DEPLOYMENT ML ANALYSIS │
│ ├─ 37-dimensional feature extraction │
│ ├─ Dual-encoder architecture (description + code) │
│ └─ Semantic alignment detection │
├─────────────────────────────────────────────────────────────┤
│ LAYER 2: RUNTIME DEFENSE │
│ ├─ AgentShepherd integration (tool call filtering) │
│ └─ Intrinsic Risk Sensing (Spider-Sense inspired) │
├─────────────────────────────────────────────────────────────┤
│ LAYER 3: CONTINUOUS EVALUATION │
│ └─ S²Bench lifecycle-aware benchmarking │
└─────────────────────────────────────────────────────────────┘
| Method | Precision | Recall | F1 | AUC |
|---|---|---|---|---|
| Bandit (Linter) | 0.42 | 0.28 | 0.34 | 0.61 |
| XGBoost (ML) | 0.78 | 0.81 | 0.80 | 0.88 |
| SkillGuard (SCG-DSSIN) | 0.97 | 0.95 | 0.96 | 0.99 |
Note: Results validated on the real-world MaliciousAgentSkillsBench dataset.
| Configuration | Attack Success Rate ↓ | False Positive Rate ↓ | Latency |
|---|---|---|---|
| SkillGuard (Pre-deploy) | 25% | 5% | 0% |
| AgentShepherd (Runtime) | 15% | 8% | 5% |
| Spider-Sense (Runtime) | 5% | 2% | 8.3% |
| Integrated (Both) | 3% | 3% | 10% |
# Clone the repository
git clone https://github.com/prabujayant/Skill-Guard.git
cd Skill-Guard
# Install dependencies
pip install -e .
pip install -e ".[ml]" # For ML models
# Install runtime defense tools (optional)
pip install upskillfrom skillguard import SkillGuard
from skillguard.core.skill import Skill
# Initialize SkillGuard
guard = SkillGuard()
# Analyze a skill
skill = Skill.from_directory("path/to/skill")
result = guard.analyze(skill)
print(f"Risk Score: {result.risk_score:.2%}")
print(f"Threat Category: {result.threat_category}")
print(f"Recommendation: {result.recommendation}")from skillguard.runtime import RuntimeDefender, IntrinsicRiskSensor
# Start runtime protection
defender = RuntimeDefender(port=9090)
defender.start_shepherd()
# Analyze tool calls in real-time
irs = IntrinsicRiskSensor()
allow, message, risk = irs.hierarchical_defense(tool_call)
if not allow:
print(f"⚠️ Blocked: {message}")Skill-Guard/
├── 📊 data/ # Real-World Registry Dataset
│ ├── skills_dataset.csv (120,711) # Full scanned skills
│ ├── malicious_skills.csv (157) # Verified malicious ground truth
│ └── real_world/ # Source samples for inspection
│
├── 🧠 src/skillguard/ # Core implementation
│ ├── core/ # Skill representation
│ ├── features/ # Feature extraction (37 dims)
│ │ ├── static_features.py # AST, complexity, primitives
│ │ └── semantic_features.py # Embedding alignment
│ ├── models/ # ML models
│ │ ├── baselines.py # LR, RF, XGBoost
│ │ └── dual_encoder.py # Novel architecture
│ ├── runtime/ # Runtime defense
│ │ ├── shepherd_integration.py # AgentShepherd wrapper
│ │ └── intrinsic_risk_sensing.py # Spider-Sense IRS
│ └── acquisition/ # Data collection
│ └── upskill_importer.py # Upskill integration
│
├── 📈 output/figures/ # Paper figures
│ ├── roc_curves.png # ROC comparison
│ ├── confusion_matrices.png # Error analysis
│ ├── feature_importance.png # Top features
│ ├── ablation_study.png # Feature contributions
│ └── threat_category_performance.png
│
├── 📝 paper/ # IEEE paper
│ ├── skillguard_paper.tex # Main paper (LaTeX)
│ ├── references.bib # Bibliography
│ └── *.pdf # Figures
│
├── 🔧 scripts/ # Core Study Utils
│ ├── train_scg.py # Registry-scale simulation/training
│ ├── generate_figures.py # Reproduce paper plots
│ └── demo.py # Trial of the detector
│
└── 📚 docs/ # Documentation
├── integration_plan.md # Architecture design
└── threat_model.md # Security analysis
SkillGuard extracts 37 features organized into four groups:
- Lines of code, cyclomatic complexity
- Number of functions, imports, AST depth
- Documentation ratio
has_eval_exec # eval(), exec() usage
has_subprocess # Shell command execution
has_socket # Network socket operations
has_file_write # File system modifications
has_pickle # Deserialization risks
has_base64 # Obfuscation indicator
has_network_calls # HTTP requests
has_crypto # Cryptographic operations- User input → dangerous sink tracking
- Environment variable access patterns
- Taint propagation analysis
embedding_cosine_sim # Description-code similarity
capability_mismatch # Undeclared capabilities
semantic_coherence # Topic alignment score
keyword_overlap # Description-capability matchSkillGuard detects six categories of semantic Trojans:
| Category | Description | Detection Rate |
|---|---|---|
| Arbitrary Code Execution | eval(), exec(), shell injection |
92% |
| Data Exfiltration | Stealing credentials, API keys | 89% |
| Reverse Shell | Backdoor network connections | 95% |
| Privilege Escalation | Accessing unauthorized resources | 87% |
| Semantic Mismatch | Hidden functionality | 78% |
| Supply Chain Injection | Obfuscated payloads | 91% |
# Generate dataset
python scripts/generate_synthetic_data.py \
--output-dir ./data \
--benign 800 \
--malicious 200
# Train models
python scripts/train.py \
--data-dir ./data \
--output-dir ./output \
--models logistic_regression random_forest gradient_boosting dual_encoder
# Generate evaluation figures
python scripts/generate_figures.py \
--output-dir ./output/figures| Configuration | #Features | F1 | AUC | ΔF1 |
|---|---|---|---|---|
| All Features | 37 | 0.94 | 0.97 | — |
| Static Only | 29 | 0.82 | 0.89 | -0.12 |
| Semantic Only | 8 | 0.71 | 0.82 | -0.23 |
| No Obfuscation | 29 | 0.88 | 0.93 | -0.06 |
| No Data Flow | 34 | 0.90 | 0.94 | -0.04 |
| No Embedding Align. | 36 | 0.85 | 0.91 | -0.09 |
Key Finding: Semantic features contribute 23% to performance—validating our hypothesis that semantic Trojans require semantic defenses.
Runtime tool-call filtering with near-zero latency overhead.
from skillguard.runtime import RuntimeDefender
defender = RuntimeDefender()
defender.add_skillguard_rule(skill, prediction, risk_threshold=0.8)
defender.start_shepherd()Generate high-quality agent skills for dataset expansion.
from skillguard.acquisition import UpskillImporter
importer = UpskillImporter()
skills = importer.generate_benign_skills(tasks=["parse JSON", "format dates"])Intrinsic Risk Sensing for efficient inference-time defense.
from skillguard.runtime import IntrinsicRiskSensor
irs = IntrinsicRiskSensor(trigger_threshold=0.3, block_threshold=0.8)
allow, msg, risk = irs.hierarchical_defense(tool_call)If you use SkillGuard in your research, please cite:
@article{skillguard2026,
title={SkillGuard: Multi-Layer Defense Against Semantic Trojans in AI Agent Tool Chains},
author={Anonymous},
journal={IEEE Transactions on Information Forensics and Security},
year={2026},
note={Under Review}
}- AgentShepherd - Runtime defense gateway
- HuggingFace Upskill - Skill generation
- Spider-Sense (arXiv:2602.05386) - Intrinsic risk sensing
- Google SAIF - Security framework
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Google SAIF for the security framework guidance
- Anthropic and OpenAI for tool safety research
- The open-source security community
Protecting AI agents from semantic Trojans, one skill at a time. 🛡️



