Defenses & Enablers For Skill Injection Attacks on Terminal Based Agents
2026-06-01 • Cryptography and Security
Cryptography and SecurityArtificial IntelligenceComputation and Language
AI summaryⓘ
The authors studied how large language models (LLMs) that use reusable task instructions can be vulnerable to attacks through these instructions. They tested two defense methods where a 'guardian' LLM either watches over or rewrites these instructions to block attacks. Their guardians reduced successful attacks by more than half while keeping the tasks working well. They also checked how well the guardians handle attacks that use different wording but the same harmful intent, finding that a guardian that checks in real-time is more effective at stopping these attacks.
large language modelsLLM agentsreusable skillsattack surfaceguardian defensedynamic guardianstatic guardianattack reframingattack success rate
Authors
Yoshinari Fujinuma, Varun Gangal, Traian Rebedea, Makesh Narasimhan Sreedhar, Prasoon Varshney, Rebecca Qian, Anand Kannappan
Abstract
Large language model (LLM) agents increasingly rely on reusable skills i.e. documents describing task-specific procedures. However, this introduces a new attack surface for agents to manage. We study two complementary directions for this threat. First, we evaluate guardian-based defenses: an intermediary LLM agent that acts as a mediator for skill file access (dynamic guardian) or pre-rewrites these files at build time (static guardian). Across three LLM agent families, our guardians cut attack success rate (ASR) by well over half while preserving task utility. Second, we stress test them through attack reframing using four attacks that preserve the malicious instruction but change the phrasing. For non-guardian setup, the reframing pushes the ASR up to 81.4\%, but the dynamic guardian brings it down to 18.6\%, showing that real-time mediation is a robust defense.