- The paper introduces POISE, a novel method for injecting malicious payloads into LLM agents via context-aware positioning that ensures high reliability.
- It leverages structural analysis of SKILL.md files to exploit legitimate body positions, achieving an Attack Success Rate of up to 90.7% while evading static detection.
- The findings advocate for protocol-level hardening and explicit trust gating in skill ingestion to mitigate supply-chain vulnerabilities in autonomous workflows.
Position-Aware Undetectable Skill Injection (POISE) in LLM Agents
Introduction to Agent Vulnerabilities and the Skill Poisoning Surface
LLM agents have shifted from mere text generation to deeply integrated, tool-driven, autonomous workflows. To extend such agents, modular "agent skills" are introduced—portable SKILL.md files, potentially accompanied by helper scripts. These skills, distributed through public or organizational repositories, are intentionally open and are routinely installed by end-users. However, this very openness exposes a supply-chain attack surface where adversaries can poison skills to induce malicious execution in legitimate user workflows. Unlike classic prompt injection, skill-file poisoning can combine effective reliability with deep stealth, making compromised skills a potent vector for adversarial control.
Reliability-Stealth Trade-Off in Skill Injection
Existing poisoning approaches confront a fundamental reliability-stealth tension. Header-based (YAML) injections are reliably loaded but highly visible and easily flagged both by human reviewers and static scanners. On the other hand, malicious commands scattered within skill bodies are less conspicuous but frequently flagged by LLM agents as out-of-context, leading to reduced attacker success. The operative metric, Attack Success Rate (ASR), is stringent: the injected payload must execute and the user’s legitimate task must succeed verification in the same trial. Most prior techniques fail to achieve high ASR while remaining undetectable, primarily due to agents’ context sensitivity and the inherent observation of skill file structure.
POISE: Position-Aware Operations via Injected Skill Execution
POISE proposes a precise, position-aware attack that leverages structural and contextual knowledge of SKILL.md files. Instead of scattering multiple suspicious imperatives, POISE compresses the trigger into a single benign-looking instruction placed at a highly feasible body position. The attack is further obfuscated by delegating payload execution to an auxiliary canary script, invoked via this single line and framed as a routine, domain-appropriate prerequisite. The injected step is generated using a context-aware LLM, ensuring that the prose seamlessly blends with neighboring legitimate instructions and takes advantage of natural imperative phrasing.
Figure 1: Overview of POISE—contrasting direct skill-file poisoning with position-aware injection that embeds a benign-looking script invocation as a routine step.
Attack Mechanism and Position Catalogue
The POISE injection mechanism prioritizes two factors: (1) local plausibility, and (2) high execution likelihood. Structural analysis identifies three principal locations in SKILL.md suitable for injection:
- YAML description append: A sentence is appended at the YAML frontmatter’s description field.
- Numbered-step insert: An extra step is inserted into an existing numbered procedure; subsequent steps are renumbered as needed.
- Install-section append: A line is appended to a setup/install code block that agents typically execute early.
Except for YAML append, body positions are favored for stealth. Each placement is supported by context-specific generation templates, and the injected script invocation is syntactically and semantically consistent with surrounding content. For adversarial effect, the chosen command targets exfiltration, configuration tampering, or privileged shell operations—each realized by executing an auxiliary, attacker-crafted script.
Quantitative Analysis: ASR, Stealth, Cross-Agent Transfer
POISE achieves dominant ASR across benchmarks and agent configurations. On Skill-Inject using codex+gpt-5.2, POISE yields an ASR of 89.3%, 28.0 points above a random-placement baseline and 2.6 points above YAML-only placement, with a 97.3% verifier pass rate closely matching the clean baseline. Trigger rates exceed 90% for body placements, confirming high reliability. Cross-agent transfer to openclaw and Claude Code configurations maintains ASR in the 86.7–90.7% range, indicating protocol-level vulnerability rather than model-level idiosyncrasy.
Similar results hold for SkillsBench, though absolute verifier rates are lower due to increased task complexity and stricter verification. POISE preserves the clean completion ceiling, outperforming all header/body baselines.
Stealth and Undetectability: Static Detection and Trajectory Analysis
Static LLM-based scanning frameworks show that POISE remains indistinguishable from benign skills, with a negligible increment (Δ) in high-risk findings compared to clean counterparts—even as judges misflag 57–92% of clean skills. YAML-only injections are consistently caught by static format rules, while POISE is largely invisible due to its occupation of legitimate body positions.

Figure 2: Static detection is FPR-bottlenecked—POISE adds little incremental signal, blending with noise caused by high false positive rates across all judges.
Further, agent trajectories and user task completion provide no practical refusal signals. Codex agent logs across 150 trials reveal zero trust-vocabulary hits near the injection anchor, and task completion remains unaffected. The injected line is treated as a routine setup step, regardless of agent configuration.
Defenses and Practical Mitigation
Inserting a distrust preamble at task-time, alerting agents to treat skill files as untrusted content, suppresses POISE’s effectiveness completely (0% ASR) with negligible utility cost—only 2.7–4.9 percentage points lost in verifier pass rate depending on task pool. Static scanning alone is insufficient; protocol-level changes or explicit trust gating are required. Marketplace-layer format checks on YAML-executable content further mitigate header-based attacks, while harness-layer path inspection can block script-based invocations.
Implications and Theoretical Considerations
The paper’s results underscore that the security boundary is almost entirely determined by protocol and harness decisions, not by LLM model specifics. The agent’s default prior—trusting imperative skill-sourced instructions—must be revisited. Treating skill-sourced imperatives as untrusted unless explicitly verified, and discriminating between executable and documentation content, are key to hardening agent frameworks. Selective reading (e.g., partial file ingestion) is accidental and insufficient; an attacker can always encourage deeper reads via benign prose.
Theoretical implications extend to supply-chain security in the context of learned procedural instructions. As LLM agents become standard in production environments, position-aware undetectable injection constitutes a tangible, high-impact threat that mandates structural changes in skill ingestion, execution, and marketplace vetting.
Conclusion
POISE introduces position-aware, context-adaptive skill poisoning in LLM agents, demonstrating high reliability (86.7–90.7% ASR) in executing attacker-chosen payloads while maintaining invisible stealth across both LLM-based scanners and execution trajectories. Practical mitigations are protocol- and harness-centric—distrust prompting, executable YAML filtering, and explicit script-path checks—rather than reliant on detection by static or dynamic LLM models. These findings reinforce the critical need for architectural changes in agent skill ingestion and execution pipelines and motivate further research into supply-chain hardening and procedural validation for LLM agent ecosystems.