AI agent skills are starting to look a lot like the open-source packages that broke the internet when one disappeared from npm.
Researchers analyzed over 1.43 million skills — reusable capability bundles that let large language models call external tools and services — and found that their dependency graphs are largely invisible. Skills pull in other skills, packages, and services without any formal manifest tracking who owns what or which version is installed. The team built a tool called SkillDepAnalyzer to map these "Agent Skill Supply Chains" (ASSCs), borrowing the Software Bill of Materials concept already standard in traditional software auditing. It substantially outperformed both a plain LLM baseline and existing package-centric SBOM tools at recovering accurate dependency graphs.
The findings matter because AI agents are being deployed in production workflows faster than anyone has built governance around them. Inspecting a single skill tells you almost nothing about what it actually pulls in — and the study found known malicious skills persisting inside dependency chains, invisible to developers who only looked at the surface layer. Concentrated reuse patterns mean one compromised skill can propagate risk across a large cluster of related workflows.
The recommendations — typed dependency manifests, lockfile-style records, and risk-warning audit commands — are the same playbook the software industry took a decade to adopt after npm and PyPI incidents. Agent infrastructure is roughly at the "copy-paste a package name from Stack Overflow" stage of maturity, which is not a comfortable place to be.