Saved in:
Bibliographic Details
Main Authors: Zhang, Guijia, Yang, Shu, Gong, Xilin, Wang, Di
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2604.10286
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915933192192000
author Zhang, Guijia
Yang, Shu
Gong, Xilin
Wang, Di
author_facet Zhang, Guijia
Yang, Shu
Gong, Xilin
Wang, Di
contents Autonomous language-model agents increasingly rely on installable skills and tools to complete user tasks. Static skill auditing can expose capability surface before deployment, but it cannot determine whether a particular invocation is unsafe under the current user request and runtime context. We therefore study skill invocation auditing as a continuous-risk estimation problem: given a user request, candidate skill, and runtime context, predict a score that supports ranking and triage before a hard intervention is applied. We introduce STARS, which combines a static capability prior, a request-conditioned invocation risk model, and a calibrated risk-fusion policy. To evaluate this setting, we construct SIA-Bench, a benchmark of 3,000 invocation records with group-safe splits, lineage metadata, runtime context, canonical action labels, and derived continuous-risk targets. On a held-out split of indirect prompt injection attacks, calibrated fusion reaches 0.439 high-risk AUPRC, improving over 0.405 for the contextual scorer and 0.380 for the strongest static baseline, while the contextual scorer remains better calibrated with 0.289 expected calibration error. On the locked in-distribution test split, gains are smaller and static priors remain useful. The resulting claim is therefore narrower: request-conditioned auditing is most valuable as an invocation-time risk-scoring and triage layer rather than as a replacement for static screening. Code is available at https://github.com/123zgj123/STARS.
format Preprint
id arxiv_https___arxiv_org_abs_2604_10286
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle STARS: Skill-Triggered Audit for Request-Conditioned Invocation Safety in Agent Systems
Zhang, Guijia
Yang, Shu
Gong, Xilin
Wang, Di
Artificial Intelligence
Autonomous language-model agents increasingly rely on installable skills and tools to complete user tasks. Static skill auditing can expose capability surface before deployment, but it cannot determine whether a particular invocation is unsafe under the current user request and runtime context. We therefore study skill invocation auditing as a continuous-risk estimation problem: given a user request, candidate skill, and runtime context, predict a score that supports ranking and triage before a hard intervention is applied. We introduce STARS, which combines a static capability prior, a request-conditioned invocation risk model, and a calibrated risk-fusion policy. To evaluate this setting, we construct SIA-Bench, a benchmark of 3,000 invocation records with group-safe splits, lineage metadata, runtime context, canonical action labels, and derived continuous-risk targets. On a held-out split of indirect prompt injection attacks, calibrated fusion reaches 0.439 high-risk AUPRC, improving over 0.405 for the contextual scorer and 0.380 for the strongest static baseline, while the contextual scorer remains better calibrated with 0.289 expected calibration error. On the locked in-distribution test split, gains are smaller and static priors remain useful. The resulting claim is therefore narrower: request-conditioned auditing is most valuable as an invocation-time risk-scoring and triage layer rather than as a replacement for static screening. Code is available at https://github.com/123zgj123/STARS.
title STARS: Skill-Triggered Audit for Request-Conditioned Invocation Safety in Agent Systems
topic Artificial Intelligence
url https://arxiv.org/abs/2604.10286