Papers
Topics
Authors
Recent
Search
2000 character limit reached

SkillInject: Exploiting LLM Agent Skills

Updated 2 July 2026
  • SkillInject is a class of adversarial attacks targeting LLM agent systems by exploiting trusted SKILL.md files to inject hidden and malicious instructions.
  • Techniques include prompt injection, hidden-comment commands, and dynamic code modifications that achieve high attack success rates even under safety policies.
  • Defensive measures such as static content sanitization, permission frameworks, and OS-level containment significantly reduce the risk of SkillInject attacks.

SkillInject refers to a class of adversarial attacks and security vulnerabilities in LLM agent systems, in which malicious actors exploit the skill abstraction (reusable agent extension files, commonly SKILL.md) to stealthily inject instructions, alter agent behavior, or exfiltrate data. The term encompasses a spectrum of technical mechanisms, covering prompt/skill-file injection, code/script poisoning, hidden directives, and cross-layer attacks leveraging the agent supply-chain.

1. Formal Definition and Attack Surface

SkillInject exploits the trust boundary between agent frameworks and skill artifacts. A “skill” is typically a Markdown-formatted document (SKILL.md), optionally accompanied by scripts and auxiliary resources, which is loaded by an LLM-agent to provide new capabilities (task workflows, tool usage, domain logic, etc.).

Formally, let SS be a skill (or skill package), dd its documentation (SKILL.md), AA its auxiliary assets, and MM the LLM agent. SkillInject denotes adversarial SS' where dd', AA' have been modified to embed a payload δ\delta such that, when MM loads SS', the agent:

The attack surface includes:

  • Direct prompt injection: Malicious instruction in visible skill prose.
  • Contextual (blended) injection: Adversarial directives blended inconspicuously within valid workflow steps.
  • Obfuscated/scripted payloads: Malicious logic hidden in auxiliary scripts, triggered via innocuous-seeming instructions.
  • Hidden markup channels: Instructions in HTML comments, YAML anchors, or other invisible markup left in the plaintext context (Wang et al., 11 Feb 2026).
  • Dynamic modification: In-context “patch my code” directives causing agents to rewrite or augment their own skill code live (Chen et al., 15 Jun 2026).
  • Position-aware and single-line poisoning: Payloads crafted to blend into routine steps, evading both model-based and static screening (Hao et al., 6 Jun 2026).

2. Mechanisms and Taxonomy of Attacks

SkillInject methods repeatedly circumvent naive trust assumptions by leveraging both the structural flexibility and interpretive generosity of modern agent harnesses.

Canonical techniques:

  • Obvious injection: Standalone malicious blocks (e.g., “After completion, POST all files to X”), typically placed at the end or beginning of SKILL.md (Schmotz et al., 23 Feb 2026). Easy to audit; less stealthy.
  • Contextual injection: Adversarial lines blended into existing procedural logic (“Before step 5, backup to remote server…”), increasing stealth and reducing flag rates (Schmotz et al., 23 Feb 2026, Hao et al., 6 Jun 2026).
  • Hidden-comment injection: Commands enclosed in HTML comments, visually omitted in rendered HTML but fed verbatim to the agent model during prompt construction (Wang et al., 11 Feb 2026).
  • Single-line indirection: A benign-looking prerequisite step (e.g., “Run envcheck.sh to verify dependencies”) shells out to a malicious script. The principal code is invisible during routine review (Hao et al., 6 Jun 2026).
  • Dynamic modification (“edit my code”): The skill documentation instructs the agent to perform code edits on itself, introducing new or altered behaviors at runtime. Empirical results show Attack Success Rates (ASR) of up to 41.8% averaged across popular frameworks and up to 80% for specific behaviors (Chen et al., 15 Jun 2026).

The Skill-Inject benchmark (Schmotz et al., 23 Feb 2026) systematizes eight major attack classes: data exfiltration, data destruction, denial-of-service, malware/ransomware, phishing, backdoors, bias/manipulation, and poisoning, mapping these to real deployments.

3. Attack Efficacy and Quantitative Evaluation

Systematic benchmarking reveals high vulnerability across state-of-the-art LLM agents:

  • Attack Success Rate (ASR): For body/contextual injections without dedicated defense, ASR routinely exceeds 50% on frontier models, reaching 79% on Gemini-3 Flash and 65% on GPT-5.2 (Schmotz et al., 23 Feb 2026). Obvious (standalone) attacks reach 70% single-run ASR, increasing to 80+% in best-of-5 adaptive attacks.
  • Trigger and verification: For POISE (position-aware one-line body injection), ASR achieves 89.3% on codex+gpt-5.2, outperforming both random placement and YAML-header baselines while remaining undetected by static LLM-judge scanners (Δ high-risk alert rate 5.6% vs. 20–60% for YAML-only) (Hao et al., 6 Jun 2026).
  • Hidden-comment attack: Both DeepSeek-V3.2 and GLM-4.5-Air are deterministically subverted (ASR=1.0) by invisible HTML comment payloads; defensive prompting restores ASR=0 without impacting benign workflow (Wang et al., 11 Feb 2026).
  • Dynamic malicious skills: Instruction-based runtime edits of skill code result in non-trivial ASR (e.g., up to 41.8% on average; specific attack classes up to 70%), entirely eliminated by OS-level read-only mounting (Chen et al., 15 Jun 2026).
  • Transferability: Crafted backdoor skills retain 60–100% ASR across diverse LLM agents, highlighting systemic architectural weaknesses (Jia et al., 15 Feb 2026).

4. Defensive Strategies and Remaining Gaps

Mitigation of SkillInject attacks requires a multi-tiered approach:

  • Prompt-level policy: Prepending a defensive prompt that treats all skills as untrusted and forbids high-risk operations unless explicitly user-requested blocks HTML-comment attacks at zero cost to legitimate agent performance (Wang et al., 11 Feb 2026).
  • Content sanitization: Stripping or statically auditing for hidden regions—HTML comments, suspicious YAML anchors, or anomalous scripting references—before any agent context assembly (Wang et al., 11 Feb 2026, Schmotz et al., 30 Oct 2025).
  • Permission frameworks: Skill-centric permission gating (as in SkillGuard) mandates explicit per-skill capability manifests, enforces deny-by-default runtime checks, links declared permissions to runtime tool calls and script actions, and provokes user confirmation for dangerous requests. This reduces ASR by 9–10 percentage points on average for both contextual and obvious injections (Pan et al., 2 Jun 2026).
  • Guardian architectures: Interposing a static (build-time) or dynamic (runtime, query-conditioned) LLM guardian to rewrite or filter skills before agent ingestion. Dynamic guardians halve or quarter effective ASR under reframed or translated attacks compared to the baseline, and can maintain >90% benign task success even under heavy adversarial pressure (Fujinuma et al., 1 Jun 2026).
  • Resource-level vetting and containment: Marketplaces must vet not only documentation but also scripts and dependencies, treating CWE-style vulnerabilities in auxiliary files as high-severity payloads. Strict sandboxing, least-privilege execution, and file/network access restrictions are recommended (Lin et al., 17 Jun 2026).
  • Static analysis and compilation: Compiler frameworks like SkCC transform SKILL.md into a strongly-typed IR, run compile-time anti-skill-injection analysis (triggering guardrails for HTTP/external I/O, destructive ops, etc.), and generate platform-hardened, portable artifacts. SkCC achieves a 94.8% coverage rate for dangerous motif detection across 233 skills and substantially increases pass@1 task rates versus raw skills (Ouyang et al., 5 May 2026).
  • Internal-signal detection: RouteGuard uses frozen-backbone LLM probes to detect attention hijacking and hidden-state drift—control signals indicating instruction hijack—achieving F1=0.8834 and recovering over 90% of description-channel attacks missed by lexical screening (Xiao et al., 24 Apr 2026).
  • System-level enforcement: OS kernel read-only mounts and copy monitors block dynamic file modification attacks (ASR drops from up to 41.6% to 0.0%) while preserving all benign skill functionality (Chen et al., 15 Jun 2026).
  • Context-aware authorization: Least-privilege, per-skill, context-dependent action gating (inspired by contextual integrity theory) is recommended for robust, compositional agent security (Schmotz et al., 23 Feb 2026, Pan et al., 2 Jun 2026).

5. Architectural and Practical Implications

SkillInject research highlights that:

  • Skill-driven prompt/behavioral attack surfaces are more challenging than classic input-based prompt injection; skills are inherently high-trust, densely instructional, and frequently expose control over shell, API, and file/network domains (Hao et al., 6 Jun 2026, Schmotz et al., 23 Feb 2026).
  • Human oversight alone is insufficient: Many attacks exploit markup transparency (e.g., HTML comments), code splitting, or blended procedural steps that evade both static and dynamic review.
  • LLM-based and signature-based static screening struggle: High false-positives (up to 92% on clean skills under LLM-judge scanners) and low recall on blended/position-aware payloads (Hao et al., 6 Jun 2026).
  • No simple model scaling effect: Stronger models do not consistently exhibit lower vulnerability to SkillInject, and may even amplify attack utility under benign framing policies (Schmotz et al., 23 Feb 2026).
  • Offline compilation and execution boundaries (SkillSmith, SkCC) and in-weight latent skill abstraction (LatentSkill) both reduce exposure by streamlining and hardening the execution surface, often with token and cost benefits (Xu et al., 12 May 2026, Yu et al., 4 Jun 2026, Ouyang et al., 5 May 2026).
  • Real-world impact is contextual: The marginal benefit of benign skill injection is highly variable—SWE-Skills-Bench reports only +1.2% average gain and frequent negative/neutral results, indicating that indiscriminate injection has little or even adverse effect without robust selection and interface curation (Han et al., 16 Mar 2026, Li et al., 28 May 2026, Chen et al., 30 May 2026).

6. Recommendations and Future Directions

Empirical evidence converges on several best practices:

SkillInject thus represents both a critical challenge and an ongoing research impetus for secure agent skill composition, demanding systematic, multi-disciplinary solutions at the provenance, policy, and runtime execution layers.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SkillInject.