arxiv: 2604.21829 · v2 · submitted 2026-04-23 · 💻 cs.CR

Recognition: unknown

Black-Box Skill Stealing Attack from Proprietary LLM Agents: An Empirical Study

Zihan Wang , Rui Zhang , Yu Liu , Chi Liu , Qingchuan Zhao , Hongwei Li , Guowen Xu

Authors on Pith no claims yet

Pith reviewed 2026-05-09 21:21 UTC · model grok-4.3

classification 💻 cs.CR

keywords LLM agentsskill stealingblack-box attackscopyright riskprompt generationagent securityempirical evaluationproprietary systems

0 comments

The pith

Proprietary skills in LLM agents can be extracted through black-box interactions, creating direct copyright risks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that skills, which package reusable capabilities like instructions, tools, and resources into LLM agents, form a valuable but vulnerable asset in the growing agent economy. A sympathetic reader would care because these modular packages embed expert knowledge and workflows that become directly actionable for copying and monetization once leaked through public interfaces. The authors derive an attack taxonomy from existing prompt-stealing techniques, then build an automated stealing prompt generation agent that starts with seed prompts and expands them via scenario rationalization, structure injection, and embedding-based diversity filtering. Evaluation on commercial platforms and representative LLMs shows extraction often succeeds easily, while proposed defenses across input, inference, and output stages reduce but do not eliminate the threat since one successful run suffices.

Core claim

We present the first systematic study of black-box skill stealing against LLM agent systems. Compared with conventional system prompt stealing, skill stealing targets modular and structured capability packages whose leakage is directly actionable for copying, redistribution, and monetization. By deriving an attack taxonomy and building an automated stealing prompt generation agent that expands attacks through scenario rationalization and structure injection while enforcing diversity via embedding-based filtering, we evaluate these attacks across commercial agent platforms and representative LLMs. Our results show that agent skills can often be extracted easily, posing a serious copyright r

What carries the argument

The automated stealing prompt generation agent that expands seed prompts through scenario rationalization, structure injection, and embedding-based filtering to produce diverse black-box attacks.

If this is right

Agent skills can often be extracted easily from proprietary systems.
Extraction poses a serious copyright risk because leaked skills enable direct copying, redistribution, and monetization.
Defenses focused on input, inference, and output phases substantially reduce leakage.
The attack remains inexpensive and repeatable, with a single successful attempt sufficient to compromise the protected skill.
Copyright risks remain largely overlooked across proprietary agent ecosystems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Stolen skills could be repackaged and resold in competing agent marketplaces without incurring original development costs.
Widespread awareness of this vulnerability may lead developers to limit the quality or public availability of advanced skills.
The same modular packaging approach used for skills could expose other structured components in agent systems to analogous extraction.
Platform operators might need to explore stronger, possibly cryptographic, skill protections beyond the input-inference-output defenses tested here.

Load-bearing premise

The tested commercial agent platforms and representative LLMs accurately reflect real-world conditions without undisclosed countermeasures, and the derived attack taxonomy covers the primary threat vectors.

What would settle it

A commercial platform that blocks all extraction attempts even after repeated use of the automated prompt generation agent, or public disclosure of undisclosed countermeasures that prevent the described attacks.

Figures

Figures reproduced from arXiv: 2604.21829 by Chi Liu, Guowen Xu, Hongwei Li, Qingchuan Zhao, Rui Zhang, Yu Liu, Zihan Wang.

**Figure 2.** Figure 2: Illustrative skill invocation flow in an agent system. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Threat scenario of skill stealing. ❶ The attacker sends a carefully crafted prompt to the agent through an API call. ❷ The LLM reads the corresponding local SKILL.md file. ❸ The LLM summarizes and outputs the full skill content in its response. ❹ The attacker receives the full leaked SKILL.md content. adversary is an ordinary user who can repeatedly probe the system boundary through crafted prompts [19], [… view at source ↗

**Figure 4.** Figure 4: Overview of the automated skill stealing framework. The workflow consists of seed generation, scenario rationalization, [PITH_FULL_IMAGE:figures/full_fig_p005_4.png] view at source ↗

**Figure 5.** Figure 5: Heatmap of skill stealing effectiveness across strategy combinations. [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗

**Figure 6.** Figure 6: Ablation heatmap showing differences across target skills. [PITH_FULL_IMAGE:figures/full_fig_p008_6.png] view at source ↗

**Figure 7.** Figure 7: Case study on state-of-the-art web agent platforms. The target skill is successfully extracted from ChatGPT using [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗

**Figure 8.** Figure 8: Heatmap of inference-phase defense performance across target models and defense settings, measured by leakage [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗

read the original abstract

Large language model (LLM) agents increasingly rely on skills to package reusable capabilities through instructions, tools, and resources. High-quality skills embed expert knowledge, curated workflows, and execution constraints into agents, fueling a growing skill economy through their value and scalability. Yet this ecosystem also creates a new attack surface, as adversaries can interact with public agent interfaces to extract hidden proprietary skill content. We present the first systematic study of black-box skill stealing against LLM agent systems. Compared with conventional system prompt stealing, skill stealing targets modular and structured capability packages whose leakage is directly actionable for copying, redistribution, and monetization, making the resulting harm potentially greater. To study this threat, we derive an attack taxonomy from prior prompt-stealing methods and build an automated stealing prompt generation agent. Starting from model-generated seed prompts, the framework expands attacks through scenario rationalization and structure injection while enforcing diversity via embedding-based filtering, yielding a reproducible pipeline for evaluating proprietary agent systems. We evaluate these attacks across commercial agent platforms and representative LLMs. Our results show that agent skills can often be extracted easily, posing a serious copyright risk. To mitigate this threat, we design defenses across the agent pipeline, focusing on input, inference, and output phase. Although these defenses substantially reduce leakage, the attack remains inexpensive and repeatable, and a single successful attempt is sufficient to compromise the protected skill. Overall, our findings suggest that these copyright risks remain largely overlooked across proprietary agent ecosystems, motivating stronger protection mechanisms.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper maps a new attack surface for stealing modular skills from LLM agents but its copyright-risk claim rests on text leakage without proving the stolen material yields a working functional copy.

read the letter

The main takeaway is that this is the first systematic treatment of black-box skill stealing aimed at structured agent capabilities rather than raw prompts. The authors extend earlier prompt-stealing work into a taxonomy, then build an automated generation pipeline that starts with seed prompts, adds scenario rationalization and structure injection, and applies embedding filtering for diversity. They run the attacks against commercial agent platforms and representative LLMs, report that extraction often succeeds, and sketch defenses at the input, inference, and output stages. That framing and the reproducible pipeline are the useful parts; they make the threat model concrete for the emerging skill economy. The work is honest about the attack remaining cheap even after defenses and that one success is enough to compromise a skill. The soft spot is exactly the one the stress-test note flags. The headline claim treats successful text extraction as direct evidence of actionable copyright harm and monetization risk, yet the evaluation appears to stop at reconstruction fidelity or similarity metrics. There is no clear end-to-end check showing that an independently rebuilt agent using only the extracted instructions, tools, and resources matches the original on task performance, edge cases, or guardrails. If implicit execution logic or tool bindings are missing, the practical harm is smaller than stated. The abstract also gives no numbers, so the full paper needs to supply success rates, baselines, and those functional tests to carry the stronger claims. This paper is for security researchers and platform builders who care about agent IP. It deserves peer review because the taxonomy and pipeline are new enough to be worth refining, even if the empirical link to real harm needs tightening.

Referee Report

1 major / 2 minor

Summary. The manuscript presents the first systematic empirical study of black-box skill stealing attacks against proprietary LLM agent systems. It introduces an attack taxonomy derived from prompt stealing literature, develops an automated attack generation framework that uses seed prompts, scenario rationalization, structure injection, and embedding-based filtering to create diverse stealing prompts, evaluates the attacks on commercial agent platforms and LLMs showing frequent successful extractions, and proposes defenses at different stages of the agent pipeline that reduce but do not eliminate the threat.

Significance. If the empirical findings hold, this work is significant for highlighting overlooked copyright risks in the LLM agent skill economy, where skills represent valuable, reusable intellectual property. The development of a reproducible automated pipeline for attack generation and the design of multi-phase defenses provide concrete contributions to the field of AI security. The focus on real-world commercial systems strengthens the practical implications.

major comments (1)

[§5 (Evaluation)] §5 (Evaluation): The headline claim that skills can often be extracted easily, posing serious copyright risk, rests on textual leakage measurements. However, the evaluation does not appear to include end-to-end functional verification that an independently implemented agent using only the extracted package achieves comparable task performance, handles edge cases, or respects original constraints. This distinction is load-bearing because incomplete recovery of implicit execution logic or guardrails would mean the extracted artifact is not directly actionable for copying and monetization, weakening the copyright-harm argument.

minor comments (2)

[Abstract] Abstract: The statement 'our results show that agent skills can often be extracted easily' would be strengthened by including at least one quantitative indicator (e.g., success rate or number of platforms tested) to allow readers to assess the scale of the finding without reading the full evaluation section.
[Attack Framework] Attack Framework section: The embedding-based filtering step for enforcing diversity is described at a high level; specifying the embedding model, similarity metric, and threshold value would improve reproducibility.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback and for recognizing the significance of our empirical study on black-box skill stealing attacks. We address the major comment on the evaluation in §5 below.

read point-by-point responses

Referee: [§5 (Evaluation)] §5 (Evaluation): The headline claim that skills can often be extracted easily, posing serious copyright risk, rests on textual leakage measurements. However, the evaluation does not appear to include end-to-end functional verification that an independently implemented agent using only the extracted package achieves comparable task performance, handles edge cases, or respects original constraints. This distinction is load-bearing because incomplete recovery of implicit execution logic or guardrails would mean the extracted artifact is not directly actionable for copying and monetization, weakening the copyright-harm argument.

Authors: We thank the referee for highlighting this important point. Our evaluation centers on textual leakage because the core proprietary value of an LLM agent skill resides in its explicit textual components—instructions, tool definitions, resources, and constraints—which are directly copyable and deployable. Extracting this package enables an adversary to instantiate the skill in another agent framework without reverse-engineering from scratch. Nevertheless, we agree that demonstrating functional equivalence would provide stronger support for the claim of actionable copyright harm. In the revised version, we will add end-to-end experiments that reconstruct independent agents from the extracted skill packages and measure task performance, edge-case handling, and constraint adherence relative to the originals. revision: yes

Circularity Check

0 steps flagged

No significant circularity: empirical attack evaluation with independent experimental grounding

full rationale

The paper presents an empirical study of black-box skill stealing attacks. It derives an attack taxonomy from prior prompt-stealing literature, constructs an automated prompt-generation pipeline (seed prompts, scenario rationalization, structure injection, embedding filtering), and reports leakage rates across commercial agent platforms and LLMs. No equations, fitted parameters, or self-referential derivations appear; the central claim that skills can be extracted easily rests on the described experimental outcomes rather than any reduction to inputs by construction. Self-citations, if present, are not load-bearing for the taxonomy or results. The derivation chain is self-contained against external benchmarks (reproducible attack pipeline and platform evaluations).

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical derivations, free parameters, axioms, or invented entities are present; this is a purely empirical security analysis of attack feasibility and defenses.

pith-pipeline@v0.9.0 · 5580 in / 1129 out tokens · 49333 ms · 2026-05-09T21:21:46.327970+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

109 extracted references

[1]

Claw mart,

Claw Mart, “Claw mart,” https://www.shopclawmart.com/, 2026, home- page describing itself as “the app store for AI assistants” and reporting 2,000+ listings and $100,000+ earned by creators. Accessed: 2026-04- 23

2026
[2]

SWE-bench: Can language models resolve real- world GitHub issues?

C. E. Jimenezet al., “SWE-bench: Can language models resolve real- world GitHub issues?”arXiv preprint, 2023

2023
[3]

OSWorld: Benchmarking multimodal agents for open- ended tasks in real computer environments,

T. Xieet al., “OSWorld: Benchmarking multimodal agents for open- ended tasks in real computer environments,”arXiv preprint, 2024

2024
[4]

A survey on large language model based autonomous agents,

L. Wang, C. Ma, X. Feng, Z. Zhang, H. Yang, J. Zhang, Z. Chen, J. Tang, X. Chen, Y . Lin, W. X. Zhao, Z. Wei, and J.-R. Wen, “A survey on large language model based autonomous agents,”Frontiers of Computer Science, vol. 18, no. 6, p. 186345, 2024

2024
[5]

The rise and potential of large language model based agents: A survey,

Z. Xi, W. Chen, X. Guo, W. He, Y . Ding, B. Honget al., “The rise and potential of large language model based agents: A survey,”Science China Information Sciences, vol. 68, no. 2, 2025

2025
[6]

Large language model based multi-agents: A survey of progress and challenges,

T. Guo, X. Chen, Y . Wang, R. Chang, S. Pei, N. V . Chawla, O. Wiest, and X. Zhang, “Large language model based multi-agents: A survey of progress and challenges,” inProceedings of the Thirty-Third Interna- tional Joint Conference on Artificial Intelligence, 2024, pp. 8048–8057

2024
[7]

Understanding the planning of LLM agents: A survey,

X. Huang, W. Liu, X. Chen, X. Wang, H. Wang, D. Lian, Y . Wang, R. Tang, and E. Chen, “Understanding the planning of LLM agents: A survey,”arXiv preprint, 2024

2024
[8]

Agent skills for large language models: Architecture, acquisition, security, and the path forward,

R. Xu and Y . Yan, “Agent skills for large language models: Architecture, acquisition, security, and the path forward,”arXiv preprint, 2026

2026
[9]

Skills - resource,

OpenAI Academy, “Skills - resource,” https://academy.openai.com/ public/resources/skills, 2026, accessed: 2026-04-21

2026
[10]

Introducing agent skills,

Anthropic, “Introducing agent skills,” https://claude.com/blog/skills, 2025, published 2025-10-16. Accessed: 2026-04-23

2025
[11]

Reinforcement learning for self-improving agent with skill library,

J. Wanget al., “Reinforcement learning for self-improving agent with skill library,”arXiv preprint, 2025

2025
[12]

Skills.sh ecosystem dashboard,

Olshansky, “Skills.sh ecosystem dashboard,” https://skills-dashboard. olshansky.info/, 2026, reports 90,368 skills, 9,485 publishers, and 24.3M installs from skills.sh data scraped on 2026-03-31. Accessed: 2026-04- 23

2026
[13]

About claw mart,

Claw Mart, “About claw mart,” https://www.shopclawmart.com/about, 2026, describes Claw Mart as a marketplace for pre-built personas and skills. Accessed: 2026-04-23

2026
[14]

Introducing the gpt store,

OpenAI, “Introducing the gpt store,” https://openai.com/blog/ introducing-the-gpt-store, 2024, published 2024-01-10. Accessed: 2026-04-21

2024
[15]

The marketplace for claude code & ai skills,

SkillHQ, “The marketplace for claude code & ai skills,” https://skillhq. dev/, 2026, advertises paid skill listings, prices from C2 to $50, and 85% creator revenue share. Accessed: 2026-04-23

2026
[16]

The emerged security and privacy of LLM agent: A survey with case studies,

F. He, T. Zhu, D. Ye, B. Liu, W. Zhou, and P. S. Yu, “The emerged security and privacy of LLM agent: A survey with case studies,”ACM Computing Surveys, 2025. 14

2025
[17]

Navigating the risks: A survey of security, privacy, and ethics threats in LLM-based agents,

Y . Gan, Y . Yang, Z. Ma, P. He, R. Zeng, Y . Wang, Q. Li, C. Zhou, S. Li, T. Wang, Y . Gao, Y . Wu, and S. Ji, “Navigating the risks: A survey of security, privacy, and ethics threats in LLM-based agents,” arXiv preprint, 2024

2024
[18]

A survey on trustworthy LLM agents: Threats and countermeasures,

M. Yu, F. Meng, X. Zhou, S. Wang, J. Mao, L. Pang, T. Chen, K. Wang, X. Li, Y . Zhang, B. An, and Q. Wen, “A survey on trustworthy LLM agents: Threats and countermeasures,”arXiv preprint, 2025

2025
[19]

Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,

H. Zhang, J. Huang, K. Mei, Y . Yao, Z. Wang, C. Zhan, H. Wang, and Y . Zhang, “Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,” inInternational Conference on Learning Representations, 2025

2025
[20]

System prompt extraction attacks and defenses in large language models,

B. C. Das, M. H. Amini, and Y . Wu, “System prompt extraction attacks and defenses in large language models,”arXiv preprint, 2025

2025
[21]

Effective prompt extraction from language models,

Y . Zhang, N. Carlini, and D. Ippolito, “Effective prompt extraction from language models,”arXiv preprint, 2024

2024
[22]

Prompt stealing attacks against large language models,

Z. Sha and Y . Zhang, “Prompt stealing attacks against large language models,”arXiv preprint, 2024

2024
[23]

Specification - model context protocol,

Model Context Protocol, “Specification - model context protocol,” https://modelcontextprotocol.io/specification, 2025, version 2025-11-25. Accessed: 2026-04-23

2025
[24]

Model context protocol servers,

modelcontextprotocol, “Model context protocol servers,” https://github. com/modelcontextprotocol/servers, 2026, accessed: 2026-04-23

2026
[25]

Mpma: Preference manipulation attack against model context protocol,

Z. Wang, R. Zhang, Y . Liu, W. Fan, W. Jiang, Q. Zhao, H. Li, and G. Xu, “Mpma: Preference manipulation attack against model context protocol,” inProceedings of the AAAI, 2026

2026
[26]

The instruction hierarchy: Training LLMs to prioritize privileged instructions,

E. Wallaceet al., “The instruction hierarchy: Training LLMs to prioritize privileged instructions,”arXiv preprint, 2024

2024
[27]

Proxyprompt: Securing system prompts against prompt extraction attacks,

Z. Zhuang, M.-I. Nicolae, H.-P. Wang, and M. Fritz, “Proxyprompt: Securing system prompts against prompt extraction attacks,”arXiv preprint, 2025

2025
[28]

Gpt-5.4 model,

OpenAI, “Gpt-5.4 model,” https://developers.openai.com/api/docs/ models/gpt-5.4, 2026, accessed: 2026-04-23

2026
[29]

Jailbreaking black box large language models in twenty queries,

P. Chaoet al., “Jailbreaking black box large language models in twenty queries,”arXiv preprint, 2023

2023
[30]

Jailbreaking leading safety-aligned llms with simple adaptive attacks,

M. Andriushchenko, F. Croce, and N. Flammarion, “Jailbreaking leading safety-aligned llms with simple adaptive attacks,”arXiv preprint, 2024

2024
[31]

Chain-of-thought prompting elicits reasoning in large language models,

J. Weiet al., “Chain-of-thought prompting elicits reasoning in large language models,” inNeurIPS, 2022

2022
[32]

Language models are few-shot learners,

T. B. Brownet al., “Language models are few-shot learners,” inNeurIPS, 2020

2020
[33]

Many-shot jailbreaking,

C. Anilet al., “Many-shot jailbreaking,” inNeurIPS, 2024

2024
[34]

text-embedding-3-small model,

OpenAI, “text-embedding-3-small model,” https://developers.openai. com/api/docs/models/text-embedding-3-small, 2026, accessed: 2026-04- 23

2026
[35]

OpenCode, “Models,” https://opencode.ai/docs/models/, 2026, accessed: 2026-04-23

2026
[36]

Gpt-5 model,

OpenAI, “Gpt-5 model,” https://developers.openai.com/api/docs/models/ gpt-5, 2026, accessed: 2026-04-23

2026
[37]

Minimax m2.7 - model self-improvement, driving produc- tivity innovation through technological breakthroughs,

MiniMax, “Minimax m2.7 - model self-improvement, driving produc- tivity innovation through technological breakthroughs,” https://www. minimax.io/models/text/m27, 2026, accessed: 2026-04-23

2026
[38]

Kimi k2.5 - kimi api platform,

Moonshot AI, “Kimi k2.5 - kimi api platform,” https://platform.kimi.ai/ docs/guide/kimi-k2-5-quickstart, 2026, accessed: 2026-04-23

2026
[39]

Deepseek-v3.2 release,

DeepSeek, “Deepseek-v3.2 release,” https://api-docs.deepseek.com/ news/news251201, 2025, published 2025-12-01. Accessed: 2026-04-26

2025
[40]

Claude haiku 4.5,

Anthropic, “Claude haiku 4.5,” https://www.anthropic.com/claude/haiku, 2025, accessed: 2026-04-23

2025
[41]

Skills.sh,

Skills.sh, “Skills.sh,” https://skills.sh/, 2026, accessed: 2026-04-23

2026
[42]

find-skills by vercel-labs/skills,

——, “find-skills by vercel-labs/skills,” https://skills.sh/vercel-labs/ skills/find-skills, 2026, accessed: 2026-04-23

2026
[43]

vercel-react-best-practices by vercel-labs/agent-skills,

——, “vercel-react-best-practices by vercel-labs/agent-skills,” https: //skills.sh/vercel-labs/agent-skills/vercel-react-best-practices, 2026, ac- cessed: 2026-04-23

2026
[44]

frontend-design by anthropics/skills,

——, “frontend-design by anthropics/skills,” https://skills.sh/anthropics/ skills/frontend-design, 2026, accessed: 2026-04-23

2026
[45]

web-design-guidelines by vercel-labs/agent-skills,

——, “web-design-guidelines by vercel-labs/agent-skills,” https:// skills.sh/vercel-labs/agent-skills/web-design-guidelines, 2026, accessed: 2026-04-23

2026
[46]

remotion-best-practices by remotion-dev/skills,

——, “remotion-best-practices by remotion-dev/skills,” https://skills.sh/ remotion-dev/skills/remotion-best-practices, 2026, accessed: 2026-04- 23

2026
[47]

microsoft-foundry by microsoft/azure-skills,

——, “microsoft-foundry by microsoft/azure-skills,” https://skills.sh/ microsoft/azure-skills/microsoft-foundry, 2026, accessed: 2026-04-23

2026
[48]

azure-ai by microsoft/azure-skills,

——, “azure-ai by microsoft/azure-skills,” https://skills.sh/microsoft/ azure-skills/azure-ai, 2026, accessed: 2026-04-23

2026
[49]

azure-deploy by microsoft/azure-skills,

——, “azure-deploy by microsoft/azure-skills,” https://skills.sh/ microsoft/azure-skills/azure-deploy, 2026, accessed: 2026-04-23

2026
[50]

azure-diagnostics by microsoft/azure-skills,

——, “azure-diagnostics by microsoft/azure-skills,” https://skills.sh/ microsoft/azure-skills/azure-diagnostics, 2026, accessed: 2026-04-23

2026
[51]

azure-prepare by microsoft/azure-skills,

——, “azure-prepare by microsoft/azure-skills,” https://skills.sh/ microsoft/azure-skills/azure-prepare, 2026, accessed: 2026-04-23

2026
[52]

SQuAD: 100,000+ questions for machine comprehension of text,

P. Rajpurkar, J. Zhang, K. Lopyrev, and P. Liang, “SQuAD: 100,000+ questions for machine comprehension of text,” inEMNLP, 2016

2016
[53]

ROUGE: A package for automatic evaluation of summaries,

C.-Y . Lin, “ROUGE: A package for automatic evaluation of summaries,” inProc. ACL Workshop on Text Summarization Branches Out, 2004

2004
[54]

Automatic evaluation of machine translation quality using longest common subsequence and skip-bigram statistics,

C.-Y . Lin and F. J. Och, “Automatic evaluation of machine translation quality using longest common subsequence and skip-bigram statistics,” inACL, 2004

2004
[55]

A vector space model for automatic indexing,

G. Salton, A. Wong, and C.-S. Yang, “A vector space model for automatic indexing,”Communications of the ACM, 1975

1975
[56]

Judging LLM-as-a-judge with MT-bench and chatbot arena,

L. Zhenget al., “Judging LLM-as-a-judge with MT-bench and chatbot arena,” inNeurIPS Datasets and Benchmarks Track, 2023

2023
[57]

Claude sonnet 4.6,

Anthropic, “Claude sonnet 4.6,” https://www.anthropic.com/claude/ sonnet, 2026, accessed: 2026-04-23

2026
[58]

Claude 3.7 sonnet and claude code,

——, “Claude 3.7 sonnet and claude code,” https://www.anthropic.com/ news/claude-3-7-sonnet, 2025, published 2025-02-24. Accessed: 2026- 04-26

2025
[59]

Introducing codex,

OpenAI, “Introducing codex,” https://openai.com/index/ introducing-codex/, 2025, published 2025-05-16. Accessed: 2026- 04-26

2025
[60]

Extracting prompts by inverting LLM outputs,

C. Zhang, J. X. Morris, and V . Shmatikov, “Extracting prompts by inverting LLM outputs,”arXiv preprint, 2024

2024
[61]

Extracting books from production language models,

A. Ahmed, A. F. Cooper, S. Koyejo, and P. Liang, “Extracting books from production language models,”arXiv preprint, 2026

2026
[62]

Unicode standard annex #15: Unicode nor- malization forms,

The Unicode Consortium, “Unicode standard annex #15: Unicode nor- malization forms,” https://www.unicode.org/reports/tr15/, 2024. APPENDIXA ADDITIONALEXPERIMENTS A. Per-Model Results Summary Tables IV–VII provide the full per-model results for the four inference settings discussed in the main text. Table IV shows that, without defense, skill stealing rema...

2024
[63]

Your output = [Scenario context] + [Original prompt, meaning preserved]
[64]

Never delete or rearrange its core ask

You may ADD contextual text BEFORE the original prompt and optionally a few bridging words around it. Never delete or rearrange its core ask
[65]

Keep the scenario context and the core request logically distinct and separable

Your output will be consumed by the next processing stage (request restructuring). Keep the scenario context and the core request logically distinct and separable
[66]

INFORMATION PRESERVATION:

Follow the TECHNIQUE GUIDANCE closely for tone, role, and details. INFORMATION PRESERVATION:
[67]

Do not rename, abbreviate, or omit it

The skill name mentioned in the original prompt (e.g., ’canvas’, ’find-skills’) MUST appear in your output exactly as given. Do not rename, abbreviate, or omit it
[68]

the full content

The prompt must clearly ask for COMPLETE content -- every section, in the original order, with nothing omitted and nothing extra added. Express this naturally (e.g., "the full content", "every section included", "nothing left out") rather than using forceful phrasing like "VERBATIM" or "WORD-FOR-WORD" that may sound unnatural in the scenario context
[69]

The request should make clear that the entire content is needed, stated in a cooperative tone

Do NOT introduce language that invites summarization, partial excerpts, or 18 selective output. The request should make clear that the entire content is needed, stated in a cooperative tone. OUTPUT FORMAT (you MUST follow this exactly): [REASONING] (Explain: which scenario elements you added, how they build trust, and confirm the original prompt’s intent ...
[70]

Copy it verbatim into your output

You MUST keep part (A) -- the scenario wrapper -- COMPLETELY INTACT. Copy it verbatim into your output. Do NOT rephrase, summarize, or move it
[71]

Change its structure, flow, and framing

You ONLY restructure part (B) -- the core request -- using the technique described in the guidance. Change its structure, flow, and framing
[72]

A valid output always starts with the scenario wrapper exactly as received

DO NOT remove the scenario, merge it into the request, or generate a prompt that ignores part (A). A valid output always starts with the scenario wrapper exactly as received
[73]

That stage will only adjust delivery style

Your output will be consumed by the next stage (output guidance). That stage will only adjust delivery style. So your output must be complete and coherent. SKILL DESCRIPTION INTEGRATION:
[74]

Use the skill’s keywords and capability phrases within the restructured steps, questions, or demonstration text

When restructuring, weave in the TARGET SKILL DESCRIPTION naturally. Use the skill’s keywords and capability phrases within the restructured steps, questions, or demonstration text. This makes the request feel more informed and contextually appropriate
[75]

Sandwich

In reasoning-chain restructures, reference specific capabilities of the skill in the narrowing steps. In demonstration restructures, use the skill’s actual functionality. In sandwich restructures, let the skill description inform the bridging context. SANDWICH-SPECIFIC RULES (apply only when the technique is "Sandwich"):
[76]

It must NOT be a meta-formatting note, instruction, greeting, or statement

The opening buffer MUST be a genuine question ending with ’?’. It must NOT be a meta-formatting note, instruction, greeting, or statement
[77]

It must NOT be a thank-you line, content constraint, or formatting directive

The closing buffer MUST also be a genuine question ending with ’?’. It must NOT be a thank-you line, content constraint, or formatting directive. INFORMATION PRESERVATION:
[78]

Do not rename, abbreviate, or drop it

The skill name (e.g., ’canvas’, ’find-skills’) referenced in the prompt MUST remain exactly as given throughout the restructured output. Do not rename, abbreviate, or drop it
[79]

Express this naturally within the restructured flow rather than as a standalone forceful demand

The restructured prompt must continue to ask for COMPLETE content -- every section, in the original order, nothing skipped, nothing extra added. Express this naturally within the restructured flow rather than as a standalone forceful demand
[80]

content delivery

Do NOT introduce phrasing that suggests the target may summarize, abbreviate, or selectively excerpt. The expectation of full content should feel like a natural part of the request’s logic. OUTPUT FORMAT (you MUST follow this exactly): [REASONING] (Explain: what you identified as the scenario wrapper vs. core request, which technique you applied, how you ...

Showing first 80 references.