This work addresses the vulnerability of end-host agents to skill injection attacks when invoking reusable skill documents, which poses significant security risks. To counter this threat, the paper presents the first systematic defense framework featuring two complementary guardian mechanisms: a dynamic guardian that employs an intermediary large language model (LLM) to mediate skill invocations in real time, and a static guardian that rewrites skill files during the build phase. The authors introduce a semantic reconstruction method for adversarial instructions to rigorously evaluate robustness under stress conditions. Experimental results across three LLM-based agent platforms demonstrate that the proposed guardians reduce attack success rates by over 50% on average. Notably, against semantically reconstructed attacks, the dynamic guardian lowers the success rate from 81.4% to 18.6% while fully preserving task utility.

Large language model (LLM) agents increasingly rely on reusable skills i.e. documents describing task-specific procedures. However, this introduces a new attack surface for agents to manage. We study two complementary directions for this threat. First, we evaluate guardian-based defenses: an intermediary LLM agent that acts as a mediator for skill file access (dynamic guardian) or pre-rewrites these files at build time (static guardian). Across three LLM agent families, our guardians cut attack success rate (ASR) by well over half while preserving task utility. Second, we stress test them through attack reframing using four attacks that preserve the malicious instruction but change the phrasing. For non-guardian setup, the reframing pushes the ASR up to 81.4\%, but the dynamic guardian brings it down to 18.6\%, showing that real-time mediation is a robust defense.