SkillJect: Effectively Automating Skill-Based Prompt Injection for Skill-Enabled Agents

TL;DR

SkillJect is an automated framework that generates poisoned skills to exploit vulnerabilities in skill-enabled LLM agents, revealing persistent security risks in modular AI systems.

Contribution

It introduces SkillJect, the first automated method for creating effective poisoned skills against skill-enabled agents, combining multi-channel attack strategies and closed-loop feedback.

Findings

SkillJect outperforms manual and naive attack methods across multiple platforms.

Poisoned skills can persistently compromise skill-based agent systems.

The framework demonstrates significant security vulnerabilities in modular AI architectures.

Abstract

Agent skills are increasingly used to extend LLM agents with task-specific instructions, executable scripts, and auxiliary resources. While improving reusability, this modular design also introduces a new supply-chain attack surface: a malicious or compromised skill may be repeatedly loaded as trusted guidance and steer an agent's tool use during downstream execution. Existing skill-based prompt-injection attacks are mostly manual and brittle, as explicit malicious instructions are often rejected or ignored when poorly aligned with the original skill workflow. We propose SkillJect, the first automated framework for generating effective poisoned skills against skill-enabled agent systems. SkillJect decomposes the attack into two coordinated channels. In the artifact channel, it hides the malicious payload in an auxiliary helper script. In the instruction channel, it rewrites SKILL.md using a front-loaded inducement strategy, placing injected content at the beginning and framing the helper script as a mandatory prerequisite or first step. The instruction explicitly references the helper-script path and provides an executable command, making the helper appear to be a legitimate initialization step before normal operations. SkillJect further adopts a closed-loop multi-agent process to improve attack performance. An Attack Agent generates poisoned skills, a Victim Agent executes downstream tasks with them, and an Evaluate Agent inspects execution traces to determine whether the hidden payload is executed. The Attack Agent then uses this feedback to diagnose failures and rewrite SKILL.md, while keeping the payload fixed. Experiments across platforms, backend LLMs, and attack categories show that SkillJect substantially outperforms naive direct injection and prior manual attacks, revealing poisoned skills as a persistent attack vector in reusable skill ecosystems.