{"paper":{"title":"Prompt Injection Attack to Tool Selection in LLM Agents","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","submitted_at":"2025-04-28T13:36:43Z","abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"d4644f54b8a411dddf834c564570e6e971847fdbbdd63616197ffd1a7c8ecd50"},"source":{"id":"2504.19793","kind":"arxiv","version":3},"verdict":{"id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T17:04:47.406337Z","strongest_claim":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","pith_extraction_headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools."},"references":{"count":89,"sample":[{"doi":"","year":2024,"title":"Mind2web: Towards a generalist agent for the web,","work_id":"c5619498-3e80-4a16-9c61-fe6255c5f11c","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis","work_id":"0915d1fc-bc46-4128-871e-f9233dca44b6","ref_index":2,"cited_arxiv_id":"2307.12856","is_internal_anchor":true},{"doi":"","year":2024,"title":"SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering","work_id":"01826cd9-a652-403c-a2ec-531da9fe2b6a","ref_index":3,"cited_arxiv_id":"2405.15793","is_internal_anchor":true},{"doi":"","year":2023,"title":"MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework","work_id":"891b9780-a800-4e3c-bba0-53597ab8dc98","ref_index":4,"cited_arxiv_id":"2308.00352","is_internal_anchor":true},{"doi":"","year":2023,"title":"Gorilla: Large Language Model Connected with Massive APIs","work_id":"126a464a-4a73-495f-b669-de1e44aa8f09","ref_index":5,"cited_arxiv_id":"2305.15334","is_internal_anchor":true}],"resolved_work":89,"snapshot_sha256":"59843b707639bdf15764d8f5bb26719a77b453508c72de5b7b5e83c9eee33449","internal_anchors":21},"formal_canon":{"evidence_count":1,"snapshot_sha256":"30024c40f4bbda28ef936fe596e5c8db2284da869bba8f9efcb713aa19151211"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}