FORTIS: Benchmarking Over-Privilege in Agent Skills
For developers of LLM-based agents, this work highlights a critical security and safety issue where the skill layer, intended as an abstraction, becomes a source of privilege escalation.
The paper introduces FORTIS, a benchmark to evaluate over-privilege in LLM agent skills, finding that across ten frontier models, over-privileged behavior is the norm, with high failure rates in selecting and executing minimally sufficient skills, especially under realistic user interaction conditions.
Large language model agents increasingly operate through an intermediate skill layer that mediates between user intent and concrete task execution. This layer is widely treated as an organizational abstraction, but we argue it is also a privilege boundary that current models routinely exceed. We present \textbf{FORTIS}, a benchmark that evaluates over-privilege in agent skills across two stages: whether a model selects the minimally sufficient skill from a large overlapping library, and whether it executes that skill without expanding into broader tools or actions than the skill permits. Across ten frontier models and three domains, we find that over-privileged behavior is the norm rather than the exception. Models consistently reach for higher-privilege skills and tools than the task requires, failing at both stages at rates that remain high even for the strongest available models. Failure is especially severe under the ordinary conditions of real user interaction: incomplete specification, convenience framing, and proximity to skill boundaries. None of these requires adversarial construction. The results indicate that the skill layer, far from containing agent behavior, is itself a primary source of privilege escalation in current systems.