Papers
Topics
Authors
Recent
Search
2000 character limit reached

POISE: Position-Aware Undetectable Skill Injection on LLM Agents

Published 6 Jun 2026 in cs.CR, cs.AI, and cs.CL | (2606.07943v1)

Abstract: Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user's legitimate task, the resulting failure signal invites inspection of the skill. We therefore evaluate attacks by Attack Success Rate, which requires the injected payload to execute and the user's task to still pass its verifier in the same trial. Prior skill-poisoning attacks face a reliability-stealth trade-off under this lens: YAML-header injections are reliably loaded but easily inspected, whereas stealthier body injections that place explicit malicious commands in the skill prose are less reliable because out-of-context commands invite the agent's own suspicion. We introduce POISE, a position-aware attack that compresses the trigger into a single, benign-looking body instruction, placing it at a feasible position and using a context-aware generator to blend it with nearby setup or prerequisite steps. On Skill-Inject with codex+gpt-5.2, POISE achieves an 89.3% ASR, 28.0 points above a random-placement body baseline and 2.6 points above a YAML-only baseline, while retaining the stealth advantage of body placement. That stealth is the decisive margin: because legitimate skill bodies naturally require privileged tool operations, LLM scanners are hyper-sensitive, falsely flagging 74.6% of clean skills on average across four judges and both benchmarks. Blending into these false alarms, POISE causes only 5.6% of poisoned variants to gain a new high-risk alert over their clean baselines, rendering current static defenses ineffective.

Summary

  • The paper introduces POISE, a novel method for injecting malicious payloads into LLM agents via context-aware positioning that ensures high reliability.
  • It leverages structural analysis of SKILL.md files to exploit legitimate body positions, achieving an Attack Success Rate of up to 90.7% while evading static detection.
  • The findings advocate for protocol-level hardening and explicit trust gating in skill ingestion to mitigate supply-chain vulnerabilities in autonomous workflows.

Position-Aware Undetectable Skill Injection (POISE) in LLM Agents

Introduction to Agent Vulnerabilities and the Skill Poisoning Surface

LLM agents have shifted from mere text generation to deeply integrated, tool-driven, autonomous workflows. To extend such agents, modular "agent skills" are introduced—portable SKILL.md files, potentially accompanied by helper scripts. These skills, distributed through public or organizational repositories, are intentionally open and are routinely installed by end-users. However, this very openness exposes a supply-chain attack surface where adversaries can poison skills to induce malicious execution in legitimate user workflows. Unlike classic prompt injection, skill-file poisoning can combine effective reliability with deep stealth, making compromised skills a potent vector for adversarial control.

Reliability-Stealth Trade-Off in Skill Injection

Existing poisoning approaches confront a fundamental reliability-stealth tension. Header-based (YAML) injections are reliably loaded but highly visible and easily flagged both by human reviewers and static scanners. On the other hand, malicious commands scattered within skill bodies are less conspicuous but frequently flagged by LLM agents as out-of-context, leading to reduced attacker success. The operative metric, Attack Success Rate (ASR), is stringent: the injected payload must execute and the user’s legitimate task must succeed verification in the same trial. Most prior techniques fail to achieve high ASR while remaining undetectable, primarily due to agents’ context sensitivity and the inherent observation of skill file structure.

POISE: Position-Aware Operations via Injected Skill Execution

POISE proposes a precise, position-aware attack that leverages structural and contextual knowledge of SKILL.md files. Instead of scattering multiple suspicious imperatives, POISE compresses the trigger into a single benign-looking instruction placed at a highly feasible body position. The attack is further obfuscated by delegating payload execution to an auxiliary canary script, invoked via this single line and framed as a routine, domain-appropriate prerequisite. The injected step is generated using a context-aware LLM, ensuring that the prose seamlessly blends with neighboring legitimate instructions and takes advantage of natural imperative phrasing. Figure 1

Figure 1: Overview of POISE—contrasting direct skill-file poisoning with position-aware injection that embeds a benign-looking script invocation as a routine step.

Attack Mechanism and Position Catalogue

The POISE injection mechanism prioritizes two factors: (1) local plausibility, and (2) high execution likelihood. Structural analysis identifies three principal locations in SKILL.md suitable for injection:

  • YAML description append: A sentence is appended at the YAML frontmatter’s description field.
  • Numbered-step insert: An extra step is inserted into an existing numbered procedure; subsequent steps are renumbered as needed.
  • Install-section append: A line is appended to a setup/install code block that agents typically execute early.

Except for YAML append, body positions are favored for stealth. Each placement is supported by context-specific generation templates, and the injected script invocation is syntactically and semantically consistent with surrounding content. For adversarial effect, the chosen command targets exfiltration, configuration tampering, or privileged shell operations—each realized by executing an auxiliary, attacker-crafted script.

Quantitative Analysis: ASR, Stealth, Cross-Agent Transfer

POISE achieves dominant ASR across benchmarks and agent configurations. On Skill-Inject using codex+gpt-5.2, POISE yields an ASR of 89.3%, 28.0 points above a random-placement baseline and 2.6 points above YAML-only placement, with a 97.3% verifier pass rate closely matching the clean baseline. Trigger rates exceed 90% for body placements, confirming high reliability. Cross-agent transfer to openclaw and Claude Code configurations maintains ASR in the 86.7–90.7% range, indicating protocol-level vulnerability rather than model-level idiosyncrasy.

Similar results hold for SkillsBench, though absolute verifier rates are lower due to increased task complexity and stricter verification. POISE preserves the clean completion ceiling, outperforming all header/body baselines.

Stealth and Undetectability: Static Detection and Trajectory Analysis

Static LLM-based scanning frameworks show that POISE remains indistinguishable from benign skills, with a negligible increment (Δ) in high-risk findings compared to clean counterparts—even as judges misflag 57–92% of clean skills. YAML-only injections are consistently caught by static format rules, while POISE is largely invisible due to its occupation of legitimate body positions. Figure 2

Figure 2

Figure 2: Static detection is FPR-bottlenecked—POISE adds little incremental signal, blending with noise caused by high false positive rates across all judges.

Further, agent trajectories and user task completion provide no practical refusal signals. Codex agent logs across 150 trials reveal zero trust-vocabulary hits near the injection anchor, and task completion remains unaffected. The injected line is treated as a routine setup step, regardless of agent configuration.

Defenses and Practical Mitigation

Inserting a distrust preamble at task-time, alerting agents to treat skill files as untrusted content, suppresses POISE’s effectiveness completely (0%0\% ASR) with negligible utility cost—only 2.7–4.9 percentage points lost in verifier pass rate depending on task pool. Static scanning alone is insufficient; protocol-level changes or explicit trust gating are required. Marketplace-layer format checks on YAML-executable content further mitigate header-based attacks, while harness-layer path inspection can block script-based invocations.

Implications and Theoretical Considerations

The paper’s results underscore that the security boundary is almost entirely determined by protocol and harness decisions, not by LLM model specifics. The agent’s default prior—trusting imperative skill-sourced instructions—must be revisited. Treating skill-sourced imperatives as untrusted unless explicitly verified, and discriminating between executable and documentation content, are key to hardening agent frameworks. Selective reading (e.g., partial file ingestion) is accidental and insufficient; an attacker can always encourage deeper reads via benign prose.

Theoretical implications extend to supply-chain security in the context of learned procedural instructions. As LLM agents become standard in production environments, position-aware undetectable injection constitutes a tangible, high-impact threat that mandates structural changes in skill ingestion, execution, and marketplace vetting.

Conclusion

POISE introduces position-aware, context-adaptive skill poisoning in LLM agents, demonstrating high reliability (86.7–90.7% ASR) in executing attacker-chosen payloads while maintaining invisible stealth across both LLM-based scanners and execution trajectories. Practical mitigations are protocol- and harness-centric—distrust prompting, executable YAML filtering, and explicit script-path checks—rather than reliant on detection by static or dynamic LLM models. These findings reinforce the critical need for architectural changes in agent skill ingestion and execution pipelines and motivate further research into supply-chain hardening and procedural validation for LLM agent ecosystems.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.