SkillJect: Effectively Automating Skill-Based Prompt Injection for Skill-Enabled Agents

21d ago · Global · primary source: export.arxiv.org

Researchers have proposed SkillJect, an automated framework for generating poisoned skills that target agent systems built on large language models, according to a paper posted to arXiv in February 2026 [1][2]. Agent skills extend LLM agents with task-specific instructions, executable scripts, and auxiliary resources, improving reusability but creating a new supply-chain attack surface [2]. A malicious or compromised skill can be repeatedly loaded as trusted guidance and steer downstream tool use [2]. Existing skill-based prompt-injection attacks are often manual and brittle, because explicit malicious instructions are rejected or ignored when they are not aligned with the original workflow [2]. SkillJect uses two coordinated channels to bypass these defenses [2]. In the artifact channel, it hides the payload inside an auxiliary helper script [2]. In the instruction channel, it rewrites the skill's instruction file with a front-loaded inducement strategy, placing injected content at the beginning and framing the helper script as a mandatory prerequisite or initialization step [2]. The rewritten instruction explicitly references the helper-script path and provides an executable example command, making the helper appear to be a legitimate setup step before normal skill operations [2]. The framework adopts a closed-loop multi-agent process to improve attack effectiveness [2]. An Attack Agent generates poisoned skills, a Victim Agent executes downstream tasks with the poisoned skill, and an Evaluate Agent inspects execution traces to determine whether the hidden payload was executed [2]. The Attack Agent then uses this feedback to diagnose failure causes and rewrite the instruction file, while keeping the payload fixed [2]. Experiments across skill-enabled platforms, backend LLMs, and attack categories show that SkillJect substantially outperforms naive direct injection and prior manual skill-injection attacks, highlighting poisoned skills as a persistent threat in reusable skill ecosystems [2]. The paper was submitted by Xiaojun Jia and colleagues, with the first version posted on February 15, 2026, at a size of 490 KB [1]. A second revision followed in May 2026 at 593 KB, and a third in June 2026 at 605 KB [1]. The work arrives as large language models continue to proliferate across industry and research. LLMs are language models with many parameters, trained with self-supervised learning on vast amounts of text [7]. Chinese firm DeepSeek, for instance, launched its DeepSeek-R1 model in January 2025, providing responses comparable to OpenAI's GPT-4 and o1 while claiming a training cost of US$6 million — far less than the reported US$100 million cost for GPT-4 in 2023 [6]. The growing ecosystem of reusable agent components makes the supply-chain attack surface described in the SkillJect paper increasingly relevant [2][6].

applicationresearch-papertool-release

Background sources we checked (7)
  • arxiv.org ↗ Agent skills extend LLM agents with task-specific instructions, executable scripts, and auxiliary resources, improving reusability but creating a new supply-chain attack surface. A malicious or compromised skill can be repeatedly loaded as trusted guidance and steer downstream to…
  • huggingface.co ↗ Hugging Face Machine Learning Demos on arXiv Back to Articles ... # Hugging Face Machine Learning Demos on arXiv Published November 17, 2022 Update on GitHub Upvote 1 - - - - - Abubakar Abid abidlabs Follow …
  • info.arxiv.org ↗ ## Hugging Face Spaces ... Hugging Face code repositories, About Hugging Face ... Collaborators: Abubakar Abid, Omar Sanseviero, Ahsen Khaliq, and the Hugging Face team ... Hugging Face Spaces includes links to demos created by the community or the authors themselves. By going to…
  • huggingface.co ↗ Demos on Hugging Face Spaces allow a wide audience to try out state-of-the-art machine learning research without writing any code. Hugging Face and ArXiv have collaborated to embed these demos directly along side papers on ArXiv! ... Thanks to this integration, users can now find…
  • en.wikipedia.org ↗ Hangzhou DeepSeek Artificial Intelligence Basic Technology Research Co., Ltd., doing business as DeepSeek, is a Chinese artificial intelligence (AI) company that develops large language models (LLMs). Based in Hangzhou, Zhejiang, DeepSeek is owned and funded by High-Flyer, a Chin…
  • en.wikipedia.org ↗ A large language model (LLM) is a type of machine learning model designed for natural language processing tasks such as language generation. LLMs are language models with many parameters, and are trained with self-supervised learning on a vast amount of text.…
  • en.wikipedia.org ↗ Douwe Kiela is a Dutch-American research scientist and entrepreneur working in the field of artificial intelligence with a focus on machine learning and natural language processing. He is a research scientist director at Google DeepMind. He previously co-founded and served as CEO…

Sources

Spot something wrong? Report an issue