When Skills Lie: Hidden-Comment Injection in LLM Agents
Qianli Wang, Boyang Ma, Minghui Xu, Yue Zhang
TL;DR
This paper uncovers a hidden-comment injection vulnerability in LLM agent Skills, where malicious instructions embedded in invisible HTML comments can manipulate model outputs, highlighting a new security concern.
Contribution
It identifies a novel hidden-comment prompt injection attack in LLM agent Skills and proposes a simple defensive prompt to mitigate this risk.
Findings
Hidden comments can contain malicious instructions influencing LLM outputs
A defensive prompt effectively prevents malicious tool calls
Vulnerabilities exist in Skill documentation rendering processes
Abstract
LLM agents often rely on Skills to describe available tools and recommended procedures. We study a hidden-comment prompt injection risk in this documentation layer: when a Markdown Skill is rendered to HTML, HTML comment blocks can become invisible to human reviewers, yet the raw text may still be supplied verbatim to the model. In experiments, we find that DeepSeek-V3.2 and GLM-4.5-Air can be influenced by malicious instructions embedded in a hidden comment appended to an otherwise legitimate Skill, yielding outputs that contain sensitive tool intentions. A short defensive system prompt that treats Skills as untrusted and forbids sensitive actions prevents these malicious tool calls and instead surfaces the suspicious hidden instructions.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSpam and Phishing Detection · Web Application Security Vulnerabilities · Advanced Malware Detection Techniques