Paper page - POISE: Position-Aware Undetectable Skill Injection on LLM Agents

Source: https://huggingface.co/papers/2606.07943

Abstract

POISE is a stealthy skill-poisoning attack that embeds malicious triggers within benign-looking instructions, achieving high attack success rates while avoiding detection by LLM scanners that are overly sensitive to privileged tool operations.

Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them toskill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user’s legitimate task, the resulting failure signal invites inspection of the skill. We therefore evaluate attacks byAttack Success Rate, which requires the injected payload to execute and the user’s task to still pass its verifier in the same trial. Priorskill-poisoning attacksface a reliability-stealth trade-off under this lens:YAML-header injectionsare reliably loaded but easily inspected, whereas stealthierbody injectionsthat place explicit malicious commands in the skill prose are less reliable because out-of-context commands invite the agent’s own suspicion. We introduce POISE, aposition-aware attackthat compresses the trigger into a single, benign-looking body instruction, placing it at a feasible position and using acontext-aware generatorto blend it with nearby setup or prerequisite steps. On Skill-Inject withcodex+gpt-5.2, POISE achieves an 89.3% ASR, 28.0 points above a random-placement body baseline and 2.6 points above a YAML-only baseline, while retaining the stealth advantage of body placement. That stealth is the decisive margin: because legitimate skill bodies naturally require privileged tool operations,LLM scannersare hyper-sensitive, falsely flagging 74.6% of clean skills on average across four judges and both benchmarks. Blending into these false alarms, POISE causes only 5.6% of poisoned variants to gain a new high-risk alert over their clean baselines, rendering currentstatic defensesineffective.

View arXiv pageView PDFGitHub0Add to collection

Get this paper in your agent:

hf papers read 2606\.07943

Don’t have the latest CLI?curl \-LsSf https://hf\.co/cli/install\.sh \| bash

Models citing this paper0

No model linking this paper

Cite arxiv.org/abs/2606.07943 in a model README.md to link it from this page.

Datasets citing this paper0

No dataset linking this paper

Cite arxiv.org/abs/2606.07943 in a dataset README.md to link it from this page.

Spaces citing this paper0

No Space linking this paper

Cite arxiv.org/abs/2606.07943 in a Space README.md to link it from this page.

Collections including this paper0

No Collection including this paper

Add this paper to acollectionto link it from this page.