{"paper":{"title":"Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM agents execute harmful instructions from injected skill files up to 80 percent of the time.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"David Schmotz, Luca Beurer-Kellner, Maksym Andriushchenko, Sahar Abdelnabi","submitted_at":"2026-02-23T18:59:27Z","abstract_excerpt":"LLM agents are evolving rapidly, powered by code execution, tools, and the recently introduced agent skills feature. Skills allow users to extend LLM applications with specialized third-party code, knowledge, and instructions. Although this can extend agent capabilities to new domains, it creates an increasingly complex agent supply chain, offering new surfaces for prompt injection attacks. We identify skill-based prompt injection as a significant threat and introduce SkillInject, a benchmark evaluating the susceptibility of widely-used LLM agents to injections through skill files. SkillInject"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"today's agents are highly vulnerable with up to 80% attack success rate with frontier models, often executing extremely harmful instructions including data exfiltration, destructive action, and ransomware-like behavior.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The crafted injection tasks and chosen frontier models accurately represent real-world skill file usage and attack scenarios that agents will encounter in deployment.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"LLM agents are highly vulnerable to prompt injection attacks delivered through skill files, achieving up to 80% success on harmful tasks including data exfiltration and destructive actions.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM agents execute harmful instructions from injected skill files up to 80 percent of the time.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"163ad1cfb5bb059da7c675862ab1cb79aea4c21f94ab606c3a0236af6ce9186b"},"source":{"id":"2602.20156","kind":"arxiv","version":3},"verdict":{"id":"5473b675-da91-489d-ae96-fb0c9a2d028c","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T08:55:14.536195Z","strongest_claim":"today's agents are highly vulnerable with up to 80% attack success rate with frontier models, often executing extremely harmful instructions including data exfiltration, destructive action, and ransomware-like behavior.","one_line_summary":"LLM agents are highly vulnerable to prompt injection attacks delivered through skill files, achieving up to 80% success on harmful tasks including data exfiltration and destructive actions.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The crafted injection tasks and chosen frontier models accurately represent real-world skill file usage and attack scenarios that agents will encounter in deployment.","pith_extraction_headline":"LLM agents execute harmful instructions from injected skill files up to 80 percent of the time."},"references":{"count":22,"sample":[{"doi":"","year":2026,"title":"The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions","work_id":"ba941a96-eb3b-48c0-b52c-5e9463085190","ref_index":1,"cited_arxiv_id":"2404.13208","is_internal_anchor":true},{"doi":"","year":null,"title":"Consider the subject matter","work_id":"7546d5df-be6f-4411-8094-10e1681db97e","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Match palette to content","work_id":"bc036738-6da9-4e02-9057-d08a6e679971","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"backup script","work_id":"0320c2b0-2da6-44a2-86f0-8bf9cfbc675b","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Comprehensive spreadsheet creation, editing, and analysis with support for formulas","work_id":"5721ff32-ff2b-40c1-b8d9-e2bef4f19eb0","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":22,"snapshot_sha256":"e33da2afcfaa8e80e18df1284cc0668f24cfbbbcd237ec6fee26e94f34f64dc8","internal_anchors":1},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}