{"total":28,"items":[{"citing_arxiv_id":"2606.32002","ref_index":5,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Self-Study Reconsidered: The Hidden Fragility of Learning from Self-Generated QA","primary_cat":"cs.AI","submitted_at":"2026-06-30T17:35:14+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Self-generated QA supervision for language models is fragile due to non-uniform question selection and instruction compliance during answering, with mitigations that reduce compliance from 88% to 13%.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.30783","ref_index":41,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Security--Fidelity Tradeoffs: The Hidden Cost of Prompt Injection Defense","primary_cat":"cs.CR","submitted_at":"2026-06-29T18:11:17+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Prompt injection defenses create a security-fidelity tradeoff with no model or defense achieving both high security and high fidelity on the SecFid benchmark across 1,168 examples.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.30383","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Whose Side Is Your Agent On? Multi-Party Principal Loyalty in LLM Agents","primary_cat":"cs.AI","submitted_at":"2026-06-29T14:39:38+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"PrincipalBench exposes a sharp split in frontier LLMs between selective and over-refusing behavior on multi-party loyalty, with prompt scaffolding and KL distillation reducing harm rates but only along an existing leak/over-refusal trade-off.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.26627","ref_index":21,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-06-25T05:44:18+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"A data-centric survey finds that only information-flow control covers compositional and cross-session leakage in LLM agents and that no single benchmark tests an agent across all its data surfaces under one policy.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.26479","ref_index":4,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Adaptive Evaluation of Out-of-Band Defenses Against Prompt Injection in LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-06-25T00:35:23+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"An independent reproduction on AgentDojo with Qwen2.5-7B finds that the Progent out-of-band defense reduces mean attack success from 25.8% to 4.2% and holds against a hand-crafted adaptive attack at 2.6%.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.18120","ref_index":13,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Structural Role Injection in Handlebars-Templated LLM Prompts: Triple-Brace Interpolation, Delimiter Family, and the Limits of HTML Auto-Escaping","primary_cat":"cs.CR","submitted_at":"2026-06-16T16:21:43+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Handlebars double-brace escaping neutralizes angle-bracket role delimiters but not colon- or Markdown-based ones, as measured by survival rates and 5760 model trials across four LLMs.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.17573","ref_index":12,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Cordon: Semantic Transactions for Tool-Using LLM Agents","primary_cat":"cs.OS","submitted_at":"2026-06-16T06:21:14+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Cordon is a transactional runtime system that binds tool intents to reversible state, staged effects, and audit metadata to validate composed agent workflows before commit.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.15057","ref_index":7,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"AutoDojo: Adaptive Black-Box Attacks Reveal the Limits of IPI Defenses and Task-Specification Effects in LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-06-13T02:09:08+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"AutoDojo adaptively optimizes IPI attacks to bypass defenses, recovering substantial ASR on action-open tasks where static attacks fail.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.04109","ref_index":2,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Discourse-Role Labels as Presentation-Time Variables for Context Use in Language Models","primary_cat":"cs.CL","submitted_at":"2026-06-02T18:12:57+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Discourse-role labels on identical misleading context cause 56-84 percentage point shifts in LLMs adopting the injected wrong answer.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.02668","ref_index":21,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"What You Approve Is What Executes: Consent Integrity for Black-Box LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-06-01T11:08:17+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The paper introduces Consent Integrity as the property that actions shown for approval must be rendered by a trusted mediator from the real boundary action over an unspoofable path and bound to execution, with uninspectable actions surfaced rather than silently approved.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.31042","ref_index":4,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors","primary_cat":"cs.CR","submitted_at":"2026-05-29T09:19:07+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Introduces ClawTrojan benchmark achieving 95.5% ASR for multi-step trojan attacks in agentic harnesses and DASGuard defense that sanitizes control content from untrusted sources.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.30686","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Depth-Dependent Indirect Prompt Injection in Tool-Calling ReAct Agents: Injection Depth, Payload Framing, and Turn-Budget Sensitivity","primary_cat":"cs.CR","submitted_at":"2026-05-29T00:28:42+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Controlled experiments on GPT-4o-mini and Claude Haiku show indirect prompt injection success in ReAct agents decays sharply with injection depth, varies with payload framing, and remains stable across turn budgets.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.28467","ref_index":3,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Mitigating Adaptive Attacks against Reasoning Models with Activation Consistency Training","primary_cat":"cs.LG","submitted_at":"2026-05-27T13:33:26+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Activation-level consistency training (ACT) yields a robust defense against adaptive jailbreaks in reasoning models by aligning internal activations on clean and wrapped prompts, outperforming output-level variants.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.18133","ref_index":25,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"An Empirical Study of Privacy Leakage Chains via Prompt Injection in Black-Box Chatbot Environments","primary_cat":"cs.CR","submitted_at":"2026-05-18T09:38:18+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Empirical demonstration that prompt injection combined with web-tool use creates a feasible privacy-leakage chain in deployed black-box chatbot agents.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.16976","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Securing LLM Agents Need Intent-to-Execution Integrity","primary_cat":"cs.CR","submitted_at":"2026-05-16T12:53:31+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"The paper defines intent-to-execution integrity as the conjunction of Tool Integrity, Instruction Integrity, Judgment Integrity, and Data Flow Integrity, arguing that existing LLM agent defenses provide only partial coverage of these properties.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.14290","ref_index":4,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Web Agents Should Adopt the Plan-Then-Execute Paradigm","primary_cat":"cs.CR","submitted_at":"2026-05-14T02:48:57+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.02812","ref_index":6,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Autonomous LLM Agent Worms: Cross-Platform Propagation, Automated Discovery and Temporal Re-Entry Defense","primary_cat":"cs.CR","submitted_at":"2026-05-04T16:49:29+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Autonomous LLM agents can host self-propagating worms via persistent state re-entry, demonstrated with automated analysis tools and blocked by a formal no-propagation defense on three frameworks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.01970","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","primary_cat":"cs.CR","submitted_at":"2026-05-03T17:07:20+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"The paper defines and evaluates Trojan Hippo attacks on LLM agent memory, showing 85-100% success in data exfiltration across backends and reduced rates with defenses at varying utility costs.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"with default extraction and retrieval settings. 6 Defenses Prompt injection defense has been a major area of research for the past few years, yet it remains an unsolved problem. At the model level, train-time approaches enforce separation between in- structions and data, fine-tuning the model to resist instructions embedded in untrusted tool outputs [8, 9, 83]. At the pipeline level, test-time approaches include sanitization methods that remove instruction-like content from tool outputs [14], input transforma- tion methods that use delimiters or encoding to help the model dis- tinguish data from instructions [36], and system-level frameworks that enforce explicit control-flow policies over tool outputs [ 16]."},{"citing_arxiv_id":"2604.23338","ref_index":103,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"A Systematic Survey of Security Threats and Defenses in LLM-Based AI Agents: A Layered Attack Surface Framework","primary_cat":"cs.CR","submitted_at":"2026-04-25T14:57:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"A new 7x4 taxonomy organizes agentic AI security threats by architectural layer and persistence timescale, revealing under-explored upper layers and missing defenses after surveying 116 papers.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"autonomously, and the attack can be triggered remotely via a single natural-language instruction. 12 D. L4 Defenses The principle of least privilege [101], [102] is the founda- tional design guideline: agents should hold only the minimum permissions required for the current task, with permissions revoked or scoped down upon task completion. Structural defenses such as StruQ [103] enforce separation between prompt instructions and external data via specialized input channels, reducing injection success rates substantially in controlled evaluations. Prompt-level output filtering [104] detects common injection patterns in tool outputs before context injection. Tool sandboxing isolates tool execution in restricted environments [105]."},{"citing_arxiv_id":"2603.27517","ref_index":18,"ref_count":2,"confidence":0.9,"is_internal_anchor":false,"paper_title":"A Security Analysis of the OpenClaw AI Agent Framework","primary_cat":"cs.CR","submitted_at":"2026-03-29T04:51:27+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Security analysis of OpenClaw reveals composable RCE paths from LLM tool calls, invalid closed-world assumptions in exec allowlists, and plugin-based attacks that bypass runtime policy.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2510.23883","ref_index":179,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges","primary_cat":"cs.AI","submitted_at":"2025-10-27T21:48:11+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"A survey that taxonomizes threats to agentic AI, reviews benchmarks and evaluation methods, discusses technical and governance defenses, and identifies open challenges.","context_count":1,"top_context_role":"method","top_context_polarity":"use_method","context_text":"Complementary to these efforts, research has also been undertaken to utilizecircuit breakingortask driftingapproaches to recognize and reject adversarial patterns while preserving intended functionality [178, 150]. Supervised fine-tuning with curated datasetsA second class of agent-focused defenses involves fine-tuning backend LLMs with injection-aware datasets. Chen et al. [ 179] proposeStruQ, a method that augments datasets with both normal and prompt injection contaminated prompts, enabling models tolearnto ignore injected instructions while maintaining responsiveness to legitimate ones. Similarly, in [180], the authors introduceSecAlign, which leverages alignment training via direct preference optimization (DPO) [181] to align agents toward preferring benign instructions"},{"citing_arxiv_id":"2506.09067","ref_index":5,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Enhancing the Safety of Medical Vision-Language Models by Synthetic Demonstrations","primary_cat":"cs.CV","submitted_at":"2025-06-08T16:26:51+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"Synthetic clinical demonstrations at inference time improve safety of Med-VLMs against visual and textual jailbreaks while preserving general performance on medical tasks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2504.20984","ref_index":20,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"ACE: A Security Architecture for LLM-Integrated App Systems","primary_cat":"cs.CR","submitted_at":"2025-04-29T17:55:52+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ACE decouples planning into abstract and concrete phases with static information-flow verification and enforces execution barriers to secure LLM app systems against prompt injection and related attacks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2504.20472","ref_index":6,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Robustness via Referencing: Defending against Prompt Injection Attacks by Referencing the Executed Instruction","primary_cat":"cs.CR","submitted_at":"2025-04-29T07:13:53+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"The method prompts LLMs to output both answers and references to the executed instructions, then filters out any answers not linked to the original input instructions, reducing attack success rates to zero in tested scenarios while preserving utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2504.19793","ref_index":23,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Prompt Injection Attack to Tool Selection in LLM Agents","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2410.07283","ref_index":6,"ref_count":2,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2406.13352","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","primary_cat":"cs.CR","submitted_at":"2024-06-19T08:55:56+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"AgentDojo introduces an extensible evaluation framework populated with realistic agent tasks and security test cases to measure prompt injection robustness in tool-using LLM agents.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Untrusted data processed and returned by the tools called by an AI agent are an effective vector for (indirect) prompt injections that execute malicious actions on behalf of the user [13, 18, 23]. Defenses against prompt injections either aim to detect injections (typically with a LLM) [28, 29, 64], train or prompt LLMs to better distinguish instructions from data [8, 59, 61, 70, 74], or isolate function calls from the agent's main planning component [63, 66]. Unfortunately, current techniques are not foolproof, and may be unable to provide guarantees for security-critical tasks [61, 64]. Command-R+Llama 3 70bGPT-3.5 TurboGemini 1.5 FlashGemini 1.5 ProGPT-4 Turbo GPT-4o Claude 3 OpusClaude 3 SonnetClaude 3.5 Sonnet"},{"citing_arxiv_id":"2404.13208","ref_index":2,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions","primary_cat":"cs.CR","submitted_at":"2024-04-19T22:55:23+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Training LLMs on data that enforces priority levels for instructions makes models robust to prompt injection attacks, including unseen ones, with little loss on standard tasks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null}],"limit":50,"offset":0}