attack 2026

SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement

Xiaojun Jia 1, Jie Liao 2,3, Simeng Qin 4, Jindong Gu 5, Wenqi Ren 6, Xiaochun Cao 6, Yang Liu 1, Philip Torr 5

1 Nanyang Technological University

2 Chongqing University

3 BraneMatrix AI

4 Northeastern University

5 University of Oxford

6 Sun Yat-sen University

0 citations · 21 references · arXiv (Cornell University)
α

Published on arXiv

2602.14211

Prompt Injection

OWASP LLM Top 10 — LLM01

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Consistently achieves high attack success rates across diverse coding-agent settings and real-world software engineering tasks under realistic conditions

SkillJect

Novel technique introduced

Agent skills are becoming a core abstraction in coding agents, packaging long-form instructions and auxiliary scripts to extend tool-augmented behaviors. This abstraction introduces an under-measured attack surface: skill-based prompt injection, where poisoned skills can steer agents away from user intent and safety policies. In practice, naive injections often fail because the malicious intent is too explicit or drifts too far from the original skill, leading agents to ignore or refuse them; existing attacks are also largely hand-crafted. We propose the first automated framework for stealthy prompt injection tailored to agent skills. The framework forms a closed loop with three agents: an Attack Agent that synthesizes injection skills under explicit stealth constraints, a Code Agent that executes tasks using the injected skills in a realistic tool environment, and an Evaluate Agent that logs action traces (e.g., tool calls and file operations) and verifies whether targeted malicious behaviors occurred. We also propose a malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution. Extensive experiments across diverse coding-agent settings and real-world software engineering tasks show that our method consistently achieves high attack success rates under realistic settings.

Key Contributions

  • First automated framework (SkillJect) for generating stealthy skill-based prompt injections targeting coding agents, using a closed loop of Attack Agent, Code Agent, and Evaluate Agent
  • Malicious payload hiding strategy that conceals adversarial operations in auxiliary scripts while injecting optimized inducement prompts to trigger tool execution
  • Trace-driven closed-loop refinement using action logs (tool calls, file operations) to iteratively improve injection stealth and attack success rates

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
black_boxinference_timetargeteddigital
Applications
coding agentssoftware engineering automation
Read PDF arXiv DOI

Similar Papers

attack

When Skills Lie: Hidden-Comment Injection in LLM Agents

2026 0 cit.
100%
attack

QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents

2025 1 cit.
100%
attack

Cuckoo Attack: Stealthy and Persistent Attacks Against AI-IDE

2025 0 cit.
100%
attack

AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs

2026 0 cit.
93%
attack

Automatic Red Teaming LLM-based Agents with Model Context Protocol Tools

2025 6 cit.
93%
attack

MCP-ITP: An Automated Framework for Implicit Tool Poisoning in MCP

2026 1 cit.
93%
attack

Agent Skills Enable a New Class of Realistic and Trivially Simple Prompt Injections

2025 8 cit.
93%
attack

Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based Adaptive Search

2026 0 cit.
93%