{"paper":{"title":"Securing LLM Agents Need Intent-to-Execution Integrity","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Securing LLM agents requires intent-to-execution integrity so executions faithfully match user intent even with untrusted tools.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Dawn Song, Jiaheng Zhang, Ming Xu, Peiran Wang, Shengfang Zhai, Wenjie Qu","submitted_at":"2026-05-16T12:53:31Z","abstract_excerpt":"This position paper argues that securing LLM agents requires first defining an end-to-end correctness property that specifies when an agent's execution faithfully reflects the user's intent. Modern LLM agents operate over an \\emph{intent-to-execution pipeline}, where natural-language instructions are translated into concrete system operations such as tool calls, API requests, and code execution. While recent defenses have made progress in constraining how agents construct tool calls, most existing formulations implicitly assume that tools are trusted. The emergence of systems such as OpenClaw,"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Analyzing existing agentic defenses against these properties reveals that current systems provide only partial and non-compositional coverage, leaving fundamental gaps in securing modern LLM agents.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The structural analogy between LLM agents and compilers holds sufficiently to derive the four integrity properties as both necessary and jointly sufficient for end-to-end correctness.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"The paper defines intent-to-execution integrity as the conjunction of Tool Integrity, Instruction Integrity, Judgment Integrity, and Data Flow Integrity, arguing that existing LLM agent defenses provide only partial coverage of these properties.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Securing LLM agents requires intent-to-execution integrity so executions faithfully match user intent even with untrusted tools.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"372a274b0d7b388f9503f1fc8d1ccc35bfc0b1a89a3a32d5b812c49a021ffe11"},"source":{"id":"2605.16976","kind":"arxiv","version":1},"verdict":{"id":"476a4d37-282c-4cc2-8066-7b671d75706b","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-19T20:12:41.744001Z","strongest_claim":"Analyzing existing agentic defenses against these properties reveals that current systems provide only partial and non-compositional coverage, leaving fundamental gaps in securing modern LLM agents.","one_line_summary":"The paper defines intent-to-execution integrity as the conjunction of Tool Integrity, Instruction Integrity, Judgment Integrity, and Data Flow Integrity, arguing that existing LLM agent defenses provide only partial coverage of these properties.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The structural analogy between LLM agents and compilers holds sufficiently to derive the four integrity properties as both necessary and jointly sufficient for end-to-end correctness.","pith_extraction_headline":"Securing LLM agents requires intent-to-execution integrity so executions faithfully match user intent even with untrusted tools."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.16976/integrity.json","findings":[],"available":true,"detectors_run":[{"name":"doi_title_agreement","ran_at":"2026-05-19T20:31:19.050382Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"doi_compliance","ran_at":"2026-05-19T20:21:39.867412Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"cited_work_retraction","ran_at":"2026-05-19T19:51:56.598002Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"citation_quote_validity","ran_at":"2026-05-19T19:50:07.194706Z","status":"skipped","version":"0.1.0","findings_count":0},{"name":"claim_evidence","ran_at":"2026-05-19T18:41:56.218787Z","status":"completed","version":"1.0.0","findings_count":0},{"name":"ai_meta_artifact","ran_at":"2026-05-19T18:33:26.305915Z","status":"skipped","version":"1.0.0","findings_count":0}],"snapshot_sha256":"e6cd85cab458ad41408189ea61aaf568f70f447289ad1f3c6e0f29199da36878"},"references":{"count":30,"sample":[{"doi":"","year":2025,"title":"OpenClaw: An open-source framework for AI agents","work_id":"0ce3c522-a447-46da-8419-bd9dd5a49604","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"NemoClaw: Hardened OpenClaw runtime with Landlock and seccomp sandboxing","work_id":"3642359b-c7c9-42dd-b7a6-a2c505e2dae8","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"IronClaw: Agent OS focused on privacy, security, and extensibility","work_id":"9830e3e7-33d5-4aaf-a979-f5dc26f7f60d","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective","work_id":"c3786d6b-d1c5-4d79-af2c-1215479ed680","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2026,"title":"SeClaw: The security armored personal AI assistant","work_id":"97db09da-719e-40dc-a4aa-21b55d1aef6d","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":30,"snapshot_sha256":"f674b56d76636a6aeabad05513b358e79d026e09e8b0f70b39c3991d7e47fb6a","internal_anchors":3},"formal_canon":{"evidence_count":2,"snapshot_sha256":"76d5a6aaa2c8891ee84df9ca241f8f62ffa9f07b117d245653dd0cd7728d761c"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}