{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:LBWCGS6PJNG53XSWBZEIZSHFTO","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"5b52e669a84f54bfb03b12cfd1fe8e20b5f4a6dc4c607ab7cbcee35d0a556b58","cross_cats_sorted":["cs.SE"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T06:55:47Z","title_canon_sha256":"e001e400df9a8f95e949829d2791a4bd93724ee8b2d73f37b7b7095c2f6d2bdd"},"schema_version":"1.0","source":{"id":"2605.14460","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.14460","created_at":"2026-05-17T23:39:06Z"},{"alias_kind":"arxiv_version","alias_value":"2605.14460v1","created_at":"2026-05-17T23:39:06Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.14460","created_at":"2026-05-17T23:39:06Z"},{"alias_kind":"pith_short_12","alias_value":"LBWCGS6PJNG5","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"LBWCGS6PJNG53XSW","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"LBWCGS6P","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:65443ea000d1d5b4859f26fdbbd21fb61225d09bb6c00793bb4b29d5ac02cbcd","target":"graph","created_at":"2026-05-17T23:39:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"SCH achieving peak success rates of up to 77.67% for confidentiality breaches and 67.33% for Remote Code Execution (RCE) under the most vulnerable configurations, with 0.00% detection rate by current scanning tools."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the tested agent frameworks will faithfully interpret and execute the dynamically generated code from the disguised natural-language compliance rules without additional safeguards or user confirmation."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Semantic Compliance Hijacking lets attackers hijack LLM agents by disguising malicious instructions as compliance rules in skills, reaching up to 77.67% success on confidentiality breaches and 67.33% on RCE while evading all tested scanners."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Semantic Compliance Hijacking makes LLM agents generate and run malicious code by presenting attacks as natural-language compliance rules in third-party skills."}],"snapshot_sha256":"fdfd47df4bd4daa8ad0f90ffe8e4654f6a2b75cc2abc6c6c280b934613f69649"},"formal_canon":{"evidence_count":1,"snapshot_sha256":"b26655b033a4417c98dbfacfa4dbcfee66a5115bccde1d2015abcba377564249"},"paper":{"abstract_excerpt":"Autonomous agents powered by Large Language Models (LLMs) acquire external functionalities through third-party skills available in open marketplaces. Adopting these integrations broadens the potential attack surface, prompting a need for systematic security evaluation. Current auditing mechanisms are effective at identifying explicit code payloads and predefined threat contents through security scanning. These detection mechanisms are bypassed if malicious behaviors lack direct injection and are instead synthesized dynamically at runtime through the agent's inherent generative capabilities. Ex","authors_text":"Xing Hu, Xin Xia, Xinyu Liu, Yukai Zhao","cross_cats":["cs.SE"],"headline":"Semantic Compliance Hijacking makes LLM agents generate and run malicious code by presenting attacks as natural-language compliance rules in third-party skills.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T06:55:47Z","title":"Exploiting LLM Agent Supply Chains via Payload-less Skills"},"references":{"count":50,"internal_anchors":9,"resolved_work":50,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Anthropic. 2025. Equipping agents for the real world with Agent Skills. https: //claude.com/blog/equipping-agents-for-the-real-world-with-agent-skills. Offi- cial blog post introducing the Agent Skill","work_id":"2c62cac8-51d0-4f5e-bbf1-63f62edf9886","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":2,"title":"Anthropic. 2026. Claude Code | Anthropic’s agentic coding system. https: //www.anthropic.com/product/claude-code. Accessed: 2026-04-26","work_id":"418ded6f-413c-4952-895b-00063f2d6502","year":2026},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Agent Behavioral Contracts: Formal Specification and Runtime Enforcement","work_id":"9f9c854c-a981-4164-9adb-28fd62ffeecd","year":2026},{"cited_arxiv_id":"2510.21236","doi":"","is_internal_anchor":true,"ref_index":4,"title":"AgentBound: Securing Execution Boundaries of AI Agents","work_id":"73bf8253-c0ea-40a5-9420-8bcae2f5438f","year":2025},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Rajkumar Buyya et al. 2026. Agentic Artificial Intelligence (AI): Architectures, Taxonomies, and Evaluation of Large Language Model Agents.arXiv preprint arXiv:2601.12560(2026)","work_id":"01d3e26d-27ff-4996-bc70-b3a3b3db6e1c","year":2026}],"snapshot_sha256":"75b6d3a4ab8cfd254ecd235ae6478db89ad938fade13328d2e9d536152ca16f0"},"source":{"id":"2605.14460","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T02:06:19.201817Z","id":"29a9bf86-3eb4-4bb8-b1b0-6bf9edcb9c64","model_set":{"reader":"grok-4.3"},"one_line_summary":"Semantic Compliance Hijacking lets attackers hijack LLM agents by disguising malicious instructions as compliance rules in skills, reaching up to 77.67% success on confidentiality breaches and 67.33% on RCE while evading all tested scanners.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Semantic Compliance Hijacking makes LLM agents generate and run malicious code by presenting attacks as natural-language compliance rules in third-party skills.","strongest_claim":"SCH achieving peak success rates of up to 77.67% for confidentiality breaches and 67.33% for Remote Code Execution (RCE) under the most vulnerable configurations, with 0.00% detection rate by current scanning tools.","weakest_assumption":"That the tested agent frameworks will faithfully interpret and execute the dynamically generated code from the disguised natural-language compliance rules without additional safeguards or user confirmation."}},"verdict_id":"29a9bf86-3eb4-4bb8-b1b0-6bf9edcb9c64"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:9a00342a8236368e24b7a04fff0e5c6088f727c1ce395ae9f043ab12536efb0a","target":"record","created_at":"2026-05-17T23:39:06Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"5b52e669a84f54bfb03b12cfd1fe8e20b5f4a6dc4c607ab7cbcee35d0a556b58","cross_cats_sorted":["cs.SE"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T06:55:47Z","title_canon_sha256":"e001e400df9a8f95e949829d2791a4bd93724ee8b2d73f37b7b7095c2f6d2bdd"},"schema_version":"1.0","source":{"id":"2605.14460","kind":"arxiv","version":1}},"canonical_sha256":"586c234bcf4b4dddde560e488cc8e59bbbb44842574eab31e8483267353a1c44","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"586c234bcf4b4dddde560e488cc8e59bbbb44842574eab31e8483267353a1c44","first_computed_at":"2026-05-17T23:39:06.788820Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:39:06.788820Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"Aaf1chkF60m2PXVcrqMR19eTYfC0ttM6TImTiXQ8YpTJRZiEHr/X+nfj89gbMYl5yZLGJXhIxP0JobY53R+vAA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:39:06.789515Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.14460","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:9a00342a8236368e24b7a04fff0e5c6088f727c1ce395ae9f043ab12536efb0a","sha256:65443ea000d1d5b4859f26fdbbd21fb61225d09bb6c00793bb4b29d5ac02cbcd"],"state_sha256":"f5210641ac8cf91cf1e677f90c467bd6ce4e0fc6db5f10f67f07d5bef4c5f7cd"}