POISE: Skill Injection the Scanners Can't See
While NVIDIA ships a skill scanner, a new paper shows why scanning is going to be hard. POISE (Position-Aware Undetectable Skill Injection, arXiv, June 6) demonstrates an attack that hides malicious triggers inside agent skill descriptions, placed at positions where they blend into legitimate setup steps. Attack success rate: 89.3%. Fraction of poisoned variants that trip a new security alert: 5.6%.
The most damning number is about the defenders, not the attack. The authors found LLM-based skill scanners falsely flag 74.6% of clean skills on average. Hyper-sensitive and blind at the same time β the worst possible combination, because constant false alarms train humans to ignore the alerts that matter. Attackers don't need to beat the scanner; alert fatigue does half the work for them.
Earlier skill-poisoning attacks had to choose between reliability and stealth β fire often and get caught, or hide well and fire rarely. POISE's contribution is resolving that trade-off with compressed triggers at strategic positions that look contextually appropriate to both humans and scanners.
Put this next to SkillSpector's finding that 26.1% of marketplace skills already contain vulnerabilities, and the picture is uncomfortable: the skills ecosystem became critical infrastructure before it grew an immune system. If you let agents install skills, position-aware review just became part of your threat model.
Paper: https://arxiv.org/abs/2606.07943
← Back to all articles
The most damning number is about the defenders, not the attack. The authors found LLM-based skill scanners falsely flag 74.6% of clean skills on average. Hyper-sensitive and blind at the same time β the worst possible combination, because constant false alarms train humans to ignore the alerts that matter. Attackers don't need to beat the scanner; alert fatigue does half the work for them.
Earlier skill-poisoning attacks had to choose between reliability and stealth β fire often and get caught, or hide well and fire rarely. POISE's contribution is resolving that trade-off with compressed triggers at strategic positions that look contextually appropriate to both humans and scanners.
Put this next to SkillSpector's finding that 26.1% of marketplace skills already contain vulnerabilities, and the picture is uncomfortable: the skills ecosystem became critical infrastructure before it grew an immune system. If you let agents install skills, position-aware review just became part of your threat model.
Paper: https://arxiv.org/abs/2606.07943
Comments