SkillSpector does not flag Unicode bidirectional control characters (U+202A–U+202E, U+2066–U+2069, U+061C) in skill file contents. These enable Trojan Source attacks where source code renders
▎ differently than it executes. Current coverage misses this: P2 only scans markdown for zero-width characters, and the bidi check in mcp_tool_poisoning inspects only skill metadata fields (and omits
▎ U+202A/202B/061C). A bidi-reordered helper.py is therefore undetected. Proposing a new pattern P9 in the static prompt-injection analyzer that scans all file types.
SkillSpector does not flag Unicode bidirectional control characters (U+202A–U+202E, U+2066–U+2069, U+061C) in skill file contents. These enable Trojan Source attacks where source code renders
▎ differently than it executes. Current coverage misses this: P2 only scans markdown for zero-width characters, and the bidi check in mcp_tool_poisoning inspects only skill metadata fields (and omits
▎ U+202A/202B/061C). A bidi-reordered helper.py is therefore undetected. Proposing a new pattern P9 in the static prompt-injection analyzer that scans all file types.