POISE: Position-Aware Undetectable Skill Injection on LLM Agents

28d ago · Global · primary source: export.arxiv.org

Researchers have detailed a new attack called POISE that injects malicious instructions into large language model agent skills while evading detection, achieving an 89.3% success rate on a standard benchmark [1]. The technique, described in a paper submitted in 2026, targets the lightweight skill files used to extend general-purpose LLM agents [1]. POISE compresses its trigger into a single, benign-looking instruction placed in the body of a skill, blending it with nearby setup or prerequisite steps to avoid raising suspicion from either the agent or automated scanners [1]. The attack was evaluated using the Skill-Inject benchmark with codex and GPT-5.2 [1]. Attack Success Rate, the metric used by the researchers, requires that the injected payload executes while the user’s legitimate task still passes its verifier in the same trial [2]. POISE’s 89.3% rate was 28.0 points higher than a random-placement body baseline and 2.6 points above a YAML-only baseline [1]. The position of the trigger is central to its effectiveness. YAML-header injections are reliably loaded but sit at the top of the file where they are the first region a reviewer inspects, and script-like content has no legitimate reason to appear in a description field [3]. Body positions, by contrast, read as ordinary skill prose [3]. Static defenses proved ineffective against the method. LLM-based scanners falsely flagged 74.6% of clean skills on average across four judges and both benchmarks, because legitimate skill bodies naturally require privileged tool operations [1]. Within that noise, only 5.6% of poisoned variants gained a new high-risk alert over their clean baselines [1]. The work builds on earlier findings that skill-based prompt injection represents a structural security problem for tool-using LLM agents. The Skill-Inject benchmark previously showed that widely-used scaffolds with frontier models are highly vulnerable to skill-based attacks, enabling data exfiltration, ransomware deployment, or destructive operations using natural language alone [6]. Those researchers recommended treating skill files as untrusted by default and requiring context-aware authorization for actions with external side effects [6]. POISE demonstrates that even when such defenses rely on static scanning, an attacker who carefully positions and phrases the malicious instruction can remain hidden.

applicationresearch-papermodel-release

Background sources we checked (10)
  • arxiv.org ↗ Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user's legitimate task, the resulting fail…
  • arxiv.org ↗ LLM Agents [...] Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user’s legitimate task, t…
  • arxiv.org ↗ LLM Agents [...] Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user’s legitimate task, t…
  • arxiv.org ↗ LLM Agents [...] Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user’s legitimate task, t…
  • arxiv.org ↗ LLM agents are evolving rapidly, powered by [...] recently introduced agent skills feature. Skills allow [...] to extend LLM applications with specialized third-party [...] , knowledge, and instructions [...] can extend agent capabilities to new domains, it creates an increasingl…
  • arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) [...] DagsHub Toggle [...] DagsHub (What is DagsHub?)…
  • arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) [...] DagsHub Toggle [...] DagsHub (What is DagsHub?)…
  • arxiv.org ↗ CatalyzeX Code Finder for Papers (What is CatalyzeX?) [...] DagsHub Toggle [...] DagsHub (What is DagsHub?)…
  • en.wikipedia.org ↗ Sustainable Development Goals (abbr. SDGs) were adopted in 2015 by all United Nations (UN) members for the 2030 Agenda for Sustainable Development. The aim of the 17 global goals is "peace and prosperity for people and the planet", tackling climate change, and working to preserv…
  • en.wikipedia.org ↗ In molecular biology, a transcription factor (TF) (or sequence-specific DNA-binding factor) is a protein that controls the rate of transcription of genetic information from DNA to messenger RNA, by binding to DNA sequences. Specificity can be due to sequence motifs, or epigenetic…

Sources

Spot something wrong? Report an issue