survey 2026

Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems

Narek Maloyan , Dmitry Namiot

1 citations · 86 references · arXiv
α

Published on arXiv

2601.17548

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Adaptive prompt injection attacks exceed 85% success against state-of-the-art defenses, while most defenses achieve less than 50% mitigation against sophisticated adaptive adversaries.

The proliferation of agentic AI coding assistants, including Claude Code, GitHub Copilot, Cursor, and emerging skill-based architectures, has fundamentally transformed software development workflows. These systems leverage Large Language Models (LLMs) integrated with external tools, file systems, and shell access through protocols like the Model Context Protocol (MCP). However, this expanded capability surface introduces critical security vulnerabilities. In this \textbf{Systematization of Knowledge (SoK)} paper, we present a comprehensive analysis of prompt injection attacks targeting agentic coding assistants. We propose a novel three-dimensional taxonomy categorizing attacks across \textit{delivery vectors}, \textit{attack modalities}, and \textit{propagation behaviors}. Our meta-analysis synthesizes findings from 78 recent studies (2021--2026), consolidating evidence that attack success rates against state-of-the-art defenses exceed 85\% when adaptive attack strategies are employed. We systematically catalog 42 distinct attack techniques spanning input manipulation, tool poisoning, protocol exploitation, multimodal injection, and cross-origin context poisoning. Through critical analysis of 18 defense mechanisms reported in prior work, we identify that most achieve less than 50\% mitigation against sophisticated adaptive attacks. We contribute: (1) a unified taxonomy bridging disparate attack classifications, (2) the first systematic analysis of skill-based architecture vulnerabilities with concrete exploit chains, and (3) a defense-in-depth framework grounded in the limitations we identify. Our findings indicate that the security community must treat prompt injection as a first-class vulnerability class requiring architectural-level mitigations rather than ad-hoc filtering approaches.

Key Contributions

  • Three-dimensional taxonomy categorizing attacks by delivery vector, attack modality, and propagation behavior across 42 catalogued techniques
  • Meta-analysis synthesizing empirical findings from 78 studies (2021–2026), consolidating attack success rates and defense bypass rates across platforms
  • First systematic analysis of skill-based architecture vulnerabilities with concrete MCP exploit chains, plus a defense-in-depth framework exposing limitations of 18 prior defense mechanisms

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Applications
agentic coding assistantsmcp-enabled llm systemsclaude codegithub copilotcursor
Read PDF arXiv DOI

Similar Papers

benchmark

Systematic Analysis of MCP Security

2025 0 cit.
85%
benchmark

When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins

2025 1 cit.
85%
benchmark

MCP Security Bench (MSB): Benchmarking Attacks Against Model Context Protocol in LLM Agents

2025 2 cit.
85%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
85%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
85%
defense

Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks

2025 5 cit.
85%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
85%
tool

MCP-SandboxScan: WASM-based Secure Execution and Runtime Analysis for MCP Tools

2026 0 cit.
85%