For a long time, teams talked about prompt injection as if the danger arrived only through the user box.
That mental model is now too small.
By March 27, 2026, the threat surface has widened in a way product teams can no longer treat as theoretical: skill files, tool descriptions, agent memory packs, and context bundles are becoming their own instruction channels. If they are loaded without policy, they can influence tool behavior just as effectively as a hostile prompt.
The paper trail is getting hard to ignore
Recent Hugging Face paper pages tell a very clear story:
WASP, published on April 22, 2025, benchmarked web agent security against prompt injection attacks.Design Patterns for Securing LLM Agents against Prompt Injections, published on June 10, 2025, argued for principled defense patterns rather than ad-hoc filtering.Skill-Inject, published on February 23, 2026, focused directly on skill-file attacks and showed how dangerous external skill instructions can become in tool-using agents.
Even earlier work like Ignore Previous Prompt
already made it clear that instruction channels are exploitable. The difference
now is that agents have more channels than before.
Why skill files matter more than teams expect
In modern agent systems, a skill file is rarely “just documentation.” It can contain:
- tool usage policies
- structured prompts
- operating instructions
- escalation logic
- examples that silently redefine allowed behavior
Once that file enters the model context, it becomes part of the system’s decision surface. If it is malicious, stale, or over-permissive, the agent can drift before the operator even notices what changed.
This is an MCP problem too
Any protocol that makes tools easier to compose also makes it easier to widen the instruction surface. That is not a criticism of MCP. It is the natural price of interoperability.
The mistake is assuming that tool metadata and skill assets are somehow “trusted” because they are not typed by the end user in real time.
That assumption fails in at least three cases:
- imported third-party skill packs
- internally shared automation bundles
- stale local files that no one has reviewed since the prototype phase
The operational fix is not complicated, but it is strict
If I were securing a tool-using agent host today, I would treat skill files like executable policy inputs:
Code snippet
ts
type SkillPolicy = {
source: "internal" | "third-party";
reviewed: boolean;
toolScope: "read-only" | "guarded" | "privileged";
};
export const canLoadSkill = (skill: SkillPolicy) =>
skill.reviewed && skill.toolScope !== "privileged";
That is intentionally narrow. Narrow is what survives contact with real systems.
What responsible teams should be doing now
I would put these controls in place immediately:
- review skill files like code, not like notes
- separate read-only skills from mutating skills
- never load privileged skill packs automatically
- log which skill file influenced which tool action
- version and diff instruction assets the same way you diff prompts and policies
This is not glamorous work, but it is exactly the kind of work that prevents agents from becoming operationally fragile.
Why this is likely to trend harder in 2026
The reason this topic will keep growing is simple: agent ecosystems are modularizing. More tool packs, more connector packs, more reusable agent assets, more “helpful” instruction bundles.
That modularity is commercially attractive and operationally dangerous at the same time. The more reusable the skill layer becomes, the more it needs governance.
Final view
Prompt injection in 2026 is no longer just a chat input problem. It is a multi-surface governance problem, and skill files are now firmly inside that surface area.
The teams that understand this early will build agent platforms that stay useful under pressure. The ones that do not will keep patching the visible prompt while the real instruction channel sits quietly in a file they forgot to audit.
