Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks

TL;DR

SkillInject is a benchmark that evaluates the vulnerability of LLM agents with skill files to prompt injection attacks, revealing high susceptibility and emphasizing the need for context-aware security measures.

Contribution

The paper introduces SkillInject, a comprehensive benchmark for assessing skill file injection vulnerabilities in LLM agents, highlighting security challenges and proposing the need for advanced safeguards.

Findings

Up to 80% attack success rate on frontier models

Agents can execute harmful instructions like data exfiltration and ransomware

Simple filtering is insufficient; context-aware authorization is needed

Abstract

LLM agents are evolving rapidly, powered by code execution, tools, and the recently introduced agent skills feature. Skills allow users to extend LLM applications with specialized third-party code, knowledge, and instructions. Although this can extend agent capabilities to new domains, it creates an increasingly complex agent supply chain, offering new surfaces for prompt injection attacks. We identify skill-based prompt injection as a significant threat and introduce SkillInject, a benchmark evaluating the susceptibility of widely-used LLM agents to injections through skill files. SkillInject contains 202 injection-task pairs with attacks ranging from obviously malicious injections to subtle, context-dependent attacks hidden in otherwise legitimate instructions. We evaluate frontier LLMs on SkillInject, measuring both security in terms of harmful instruction avoidance and utility in terms of legitimate instruction compliance. Our results show that today's agents are highly vulnerable with up to 80% attack success rate with frontier models, often executing extremely harmful instructions including data exfiltration, destructive action, and ransomware-like behavior. They furthermore suggest that this problem will not be solved through model scaling or simple input filtering, but that robust agent security will require context-aware authorization frameworks. Our benchmark is available at https://www.skill-inject.com/.