feat(defender-antigravity): inline SKILL contract in HIGH RISK cue

[hiskudin]

Summary

On Antigravity, SKILL.md is registered via the plugin's skills/ directory but loaded into the model's context only on demand (the model has to invoke Read on the SKILL path). During a normal tool call, Gemini has no reason to load stackone-defender's SKILL — so the [Defender] HIGH RISK … cue arrives as one unfamiliar bracketed line against hundreds of tokens of attacker-controlled tool content. The model treats the cue as informational, not as a stop-and-review signal, and proceeds with the injection.

This change inlines a compressed SKILL behavioral contract directly in the HIGH RISK cue, so the guidance is in the same turn as the warning.

Applies only to the Antigravity sibling. The Claude Code plugin loads SKILL.md natively via the skill system, so inlining there would be redundant and could conflict with the loaded guidance. No changes to stackone-defender/.

Evidence

End-to-end pilot in stackone-redteaming/defender-cue-eval (internal repo) measured this on gemini-3.5-flash with the multihead-aggregation disabled to maximize recall (18/21 cue fires across 7 indirect-injection scenarios × 3 seeds). See docs/2026-06-15-defender-cue-eval-pilot.md.

cue variant	baseline ASR	cue ASR	ASR delta (95% CI)	utility (cue)
no SKILL (current shipped)	0.857	0.857	+0.000 (±0.143)	0.190
SKILL v1 (aggressive)	0.905	0.810	−0.095 (−0.286, +0.095)	0.000 ❌
SKILL v2 (this PR)	0.857	0.810	−0.048 (−0.190, +0.095)	0.286 ✓

V1 over-generalized "don't follow embedded directives" into "don't act on the tool result" → utility collapsed to 0%. V2 separates "refuse this specific embedded instruction" from "complete the user's task using the rest of the result." Pilot v2 utility actually beat the no-skill baseline.

Caveats (honest)

• n=21 — CI spans zero. The effect is directional, not statistically significant. To confirm at −5pp we'd need ~600 paired runs.
• SOC-disguised injection still 100% ASR. Even with the SKILL contract explicitly warning about "compliance / SOC / audit" framing, the bamboohr / slack / subtle bamboohr attack family was unaffected. SKILL guidance helps when the embedded instruction is overt; it doesn't help when the attacker prose is contextually coherent enough to look like legitimate tool output. Separately tracked in adaptive-defender / v6-v7 workstream.
• Cue adds ~250 tokens per HIGH RISK fire (~280 tokens total in the emitted inject_steps message). Not inlined on "Suspicious" medium-risk cues — those are the long FP tail where we want the agent to ignore the flag, not consult a contract.
• Pilot measured cue-as-prepended-tool-result-text via auto-redteam's run_target harness. Real Antigravity delivers the cue via inject_steps[].system_message — different wire transport. Behavior should be similar but isn't bit-identical to the pilot.

Why ship before n=600

• Doing nothing leaves a known UX gap: shipped Antigravity plugin emits cues that Gemini provably ignores at 0% effect.
• Fix is cheap (~250 tokens / fire, one-line concat), reversible (revert if regressed), and bounded downside (v2 utility ≥ no-skill in pilot).
• v1 → v2 contrast already navigated the phrasing tradeoff that would have shipped a regression.

Test plan

• npm test — 12/12 fixture-regression pass on the modified plugin.
• Synthesize PostToolHookArgs stdin → confirm emitted inject_steps[0].system_message.text contains both SKILL contract + HIGH RISK cue line, total ~1.3KB / 221 words.
• Local install in real agy session (agy plugin install ./plugins/security/stackone-defender-antigravity), trigger a known-injection fixture, verify the cue lands in the model's next turn and steers behavior.

🤖 Generated with Claude Code

---

Summary by cubic

Inlines a compact SKILL behavioral contract into HIGH RISK defender cues in the Antigravity plugin and places the [Defender] … summary line first. Also fixes hook registration by moving hooks.json to the plugin root so the PostToolUse hook actually runs.

• New Features

  • Adds an inlined SKILL_CONTRACT to HIGH RISK cues; summary line precedes the contract; “Suspicious” cues stay single-line.
  • Pilot on gemini-3.5-flash: ~−4.8pp ASR with no utility regression (n=21; directional); ~250 tokens per HIGH RISK fire; no change to stackone-defender/ or the Claude Code plugin.

• Bug Fixes

  • Moves hooks.json to the plugin root so Antigravity registers the hook; cues now emit via inject_steps.

^{Written for commit 7680c9e. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

<sub>Requires human review: This PR updates core defensive cue logic in a security-critical plugin, impacting prompt-injection defenses in a production tool. The effect is directional and not statistically significant; human review is advised.

Re-trigger cubic</sub>

[Copilot]

Pull request overview

This PR updates the Antigravity variant of the StackOne Defender PostToolUse hook to inline a condensed behavioral “SKILL contract” directly into the HIGH RISK injected system message, so the model receives explicit guidance in the same turn as the warning (without changing “Suspicious” medium-risk cue behavior).

Changes:

• Adds an inlined SKILL_CONTRACT string describing how the model should treat flagged tool output.
• Prepends the contract to the HIGH RISK injected system message (while keeping Suspicious cues short).
• Adds rationale/comments documenting the v2 phrasing and token-cost tradeoffs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hiskudin]

Fixed in 579a657 — reordered so the [Defender] HIGH RISK … summary line is now first, then the SKILL contract. Prefix-based recognition and consistency with the Claude Code sibling preserved. The pilot evaluated both orderings; either way the cue line and the contract arrive in the same turn.

[hiskudin]

Fixed in 579a657 — updated the file header docstring (added a 3rd-surface section explaining HIGH RISK is multi-paragraph on Antigravity vs single-line on Claude Code) and the README (How-it-works section + the inject_steps example now show the cue + inlined contract structure).

[hiskudin]

Fixed in 579a657 with cross-reference comments rather than runtime SKILL.md loading. The scan-tool-result.mjs now has a "SOURCE OF TRUTH NOTICE" block calling out the dual-update rule; SKILL.md gets a reverse pointer in the intro paragraph telling readers to grep for SKILL_CONTRACT in the hook script. We deliberately don't read SKILL.md at scan time — the hook's latency budget is tight (the daemon scan itself runs in low-ms and adds an inject_steps payload to every flagged tool call), and the hook intentionally has no filesystem dependencies beyond its own script dir for portability across user shells/sandbox configurations.

[cubic-dev-ai]

0 issues found across 3 files (changes from recent commits).

<sub>Requires human review: Updates prompt-injection defenses in the security plugin via a SKILL contract that alters HIGH RISK content interpretation. Despite pilot results, this security-critical change risks regressions and needs human review.

Re-trigger cubic</sub>