pith. sign in
Pith Number

pith:LBWCGS6P

pith:2026:LBWCGS6PJNG53XSWBZEIZSHFTO
not attested not anchored not stored refs resolved

Exploiting LLM Agent Supply Chains via Payload-less Skills

Xing Hu, Xin Xia, Xinyu Liu, Yukai Zhao

Semantic Compliance Hijacking makes LLM agents generate and run malicious code by presenting attacks as natural-language compliance rules in third-party skills.

arxiv:2605.14460 v1 · 2026-05-14 · cs.CR · cs.SE

Add to your LaTeX paper
\usepackage{pith}
\pithnumber{LBWCGS6PJNG53XSWBZEIZSHFTO}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

SCH achieving peak success rates of up to 77.67% for confidentiality breaches and 67.33% for Remote Code Execution (RCE) under the most vulnerable configurations, with 0.00% detection rate by current scanning tools.

C2weakest assumption

That the tested agent frameworks will faithfully interpret and execute the dynamically generated code from the disguised natural-language compliance rules without additional safeguards or user confirmation.

C3one line summary

Semantic Compliance Hijacking lets attackers hijack LLM agents by disguising malicious instructions as compliance rules in skills, reaching up to 77.67% success on confidentiality breaches and 67.33% on RCE while evading all tested scanners.

References

50 extracted · 50 resolved · 9 Pith anchors

[1] Anthropic. 2025. Equipping agents for the real world with Agent Skills. https: //claude.com/blog/equipping-agents-for-the-real-world-with-agent-skills. Offi- cial blog post introducing the Agent Skill 2025
[2] Anthropic. 2026. Claude Code | Anthropic’s agentic coding system. https: //www.anthropic.com/product/claude-code. Accessed: 2026-04-26 2026
[3] Agent Behavioral Contracts: Formal Specification and Runtime Enforcement 2026
[4] AgentBound: Securing Execution Boundaries of AI Agents 2025 · arXiv:2510.21236
[5] Rajkumar Buyya et al. 2026. Agentic Artificial Intelligence (AI): Architectures, Taxonomies, and Evaluation of Large Language Model Agents.arXiv preprint arXiv:2601.12560(2026) 2026

Formal links

1 machine-checked theorem link

Cited by

1 paper in Pith

Receipt and verification
First computed 2026-05-17T23:39:06.788820Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

586c234bcf4b4dddde560e488cc8e59bbbb44842574eab31e8483267353a1c44

Aliases

arxiv: 2605.14460 · arxiv_version: 2605.14460v1 · doi: 10.48550/arxiv.2605.14460 · pith_short_12: LBWCGS6PJNG5 · pith_short_16: LBWCGS6PJNG53XSW · pith_short_8: LBWCGS6P
Agent API
Verify this Pith Number yourself
curl -sH 'Accept: application/ld+json' https://pith.science/pith/LBWCGS6PJNG53XSWBZEIZSHFTO \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 586c234bcf4b4dddde560e488cc8e59bbbb44842574eab31e8483267353a1c44
Canonical record JSON
{
  "metadata": {
    "abstract_canon_sha256": "5b52e669a84f54bfb03b12cfd1fe8e20b5f4a6dc4c607ab7cbcee35d0a556b58",
    "cross_cats_sorted": [
      "cs.SE"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-14T06:55:47Z",
    "title_canon_sha256": "e001e400df9a8f95e949829d2791a4bd93724ee8b2d73f37b7b7095c2f6d2bdd"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.14460",
    "kind": "arxiv",
    "version": 1
  }
}