Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement

Xiaojun Jia, Jie Liao, Simeng Qin, Jindong Gu, Wenqi Ren, Xiaochun Cao, Yang Liu, Philip Torr

TL;DR

This work proposes the first automated framework for stealthy prompt injection tailored to agent skills, and proposes a malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution.

Abstract

Agent skills are becoming a core abstraction in coding agents, packaging long-form instructions and auxiliary scripts to extend tool-augmented behaviors. This abstraction introduces an under-measured attack surface: skill-based prompt injection, where poisoned skills can steer agents away from user intent and safety policies. In practice, naive injections often fail because the malicious intent is too explicit or drifts too far from the original skill, leading agents to ignore or refuse them; existing attacks are also largely hand-crafted. We propose the first automated framework for stealthy prompt injection tailored to agent skills. The framework forms a closed loop with three agents: an Attack Agent that synthesizes injection skills under explicit stealth constraints, a Code Agent that executes tasks using the injected skills in a realistic tool environment, and an Evaluate Agent that logs action traces (e.g., tool calls and file operations) and verifies whether targeted malicious behaviors occurred. We also propose a malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution. Extensive experiments across diverse coding-agent settings and real-world software engineering tasks show that our method consistently achieves high attack success rates under realistic settings.

SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement

TL;DR

This work proposes the first automated framework for stealthy prompt injection tailored to agent skills, and proposes a malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution.

Abstract

Agent skills are becoming a core abstraction in coding agents, packaging long-form instructions and auxiliary scripts to extend tool-augmented behaviors. This abstraction introduces an under-measured attack surface: skill-based prompt injection, where poisoned skills can steer agents away from user intent and safety policies. In practice, naive injections often fail because the malicious intent is too explicit or drifts too far from the original skill, leading agents to ignore or refuse them; existing attacks are also largely hand-crafted. We propose the first automated framework for stealthy prompt injection tailored to agent skills. The framework forms a closed loop with three agents: an Attack Agent that synthesizes injection skills under explicit stealth constraints, a Code Agent that executes tasks using the injected skills in a realistic tool environment, and an Evaluate Agent that logs action traces (e.g., tool calls and file operations) and verifies whether targeted malicious behaviors occurred. We also propose a malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution. Extensive experiments across diverse coding-agent settings and real-world software engineering tasks show that our method consistently achieves high attack success rates under realistic settings.
Paper Structure (16 sections, 10 equations, 3 figures, 4 tables, 1 algorithm)

This paper contains 16 sections, 10 equations, 3 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Agent skill
  4. Prompt injection
  5. Method
  6. Threat Model and Problem Formulation
  7. Malicious payload hiding strategy
  8. Generating injected skills with SkillJect
  9. Experiments
  10. Experimental Setup
  11. Baseline
  12. Results and Analysis
  13. Cross-Model Transferability
  14. Ablation Study
  15. Defense Evaluation with SkillScan
  16. ...and 1 more sections

Figures (3)

  • Figure 1: The threat model of SkillJect. While a benign skill assists the agent in achieving goals (top), a poisoned skill (bottom) manipulates the agent to bypass safety checks, leading to consequences like data leakage or backdoors.
  • Figure 2: Overview of the SkillJect framework. The pipeline operates as an iterative loop: the Attack Agent transforms a benign skill into a poisoned one by modifying documentation and artifacts under constraints $\Omega$. The Code Agent executes the skill during task routing and execution. The Evaluate Agent then assesses the execution traces against the target behavior to provide feedback for refinement.
  • Figure 3: Emergent injection strategies autonomously discovered by the Attack Agent. Instead of relying on predefined templates, the LLM explores different documentation styles driven by the feedback loop. (a) The agent learns to mimic standard section headers to blend in with the context. (b) The agent evolves to utilize alert blocks to manufacture urgency. These diverse examples highlight the model's ability to adapt its deception strategy dynamically.