POISE:面向LLM智能体的位置感知不可检测技能注入攻击
阅读原文· arxiv.orgPOISE是一种位置感知的攻击方法,通过将触发指令压缩为单个看似良性的身体指令,并利用上下文感知生成器将其与附近步骤融合,实现对LLM智能体的隐蔽技能注入。在codex+gpt-5.2上的Skill-Inject评估中,POISE达到89.3%的攻击成功率(ASR),比随机位置身体基线高28.0个百分点,比仅YAML注入基线高2.6个百分点,同时保留了身体注入的隐蔽优势。由于LLM扫描器对合法技能身体误判率达74.6%,POISE仅使5.6%的受污染变体触发新的高风险警报,令当前静态防御失效。
Agent skills provide a lightweight mechanism for extending general-purpose agents, but their open format exposes them to skill-poisoning attacks. A practically dangerous injection must stay invisible: if executing the payload derails the user's legitimate task, the resulting failure signal invites inspection of the skill. We therefore evaluate attacks by Attack Success Rate, which requires the injected payload to execute and the user's task to still pass its verifier in the same trial. Prior skill-poisoning attacks face a reliability-stealth trade-off under this lens: YAML-header injections are reliably loaded but easily inspected, whereas stealthier body injections that place explicit malicious commands in the skill prose are less reliable because out-of-context commands invite the agent's own suspicion. We introduce POISE, a position-aware attack that compresses the trigger into a single, benign-looking body instruction, placing it at a feasible position and using a context-aware generator to blend it with nearby setup or prerequisite steps. On Skill-Inject with codex+gpt-5.2, POISE achieves an 89.3% ASR, 28.0 points above a random-placement body baseline and 2.6 points above a YAML-only baseline, while retaining the stealth advantage of body placement. That stealth is the decisive margin: because legitimate skill bodies naturally require privileged tool operations, LLM scanners are hyper-sensitive, falsely flagging 74.6% of clean skills on average across four judges and both benchmarks. Blending into these false alarms, POISE causes only 5.6% of poisoned variants to gain a new high-risk alert over their clean baselines, rendering current static defenses ineffective.