{"total":12,"items":[{"citing_arxiv_id":"2605.30534","ref_index":3,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Strengthening Polymorphic Prompt Assembling: Dynamic Separator Generation Against Emerging Prompt Injection Attacks","primary_cat":"cs.CR","submitted_at":"2026-05-28T20:10:04+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Dynamic separator generation via domain-separated SHA-256 reduces attack success rate from 0.88 to 0.38 and eliminates leakage exposure in evaluations against 16 payloads on Llama and DeepSeek models.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.24069","ref_index":21,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"When the Manual Lies: A Realistic Benchmark to Evaluate MCP Poisoning Attacks for LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-05-22T08:34:48+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Introduces MCP-TDP benchmark showing near-100% attack success on models like GPT-4o for tool description poisoning and proposes reactive self-correction defense.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.23330","ref_index":8,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Security, Privacy, and Ethical Risks in OpenClaw","primary_cat":"cs.CR","submitted_at":"2026-05-22T07:45:04+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":3.0,"formal_verification":"none","one_line_summary":"The paper analyzes security, privacy, and ethical risks in the OpenClaw AI agent system arising from its architecture, storage, tool use, and integrations, arguing these form major barriers to trustworthy adoption.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.18672","ref_index":36,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Position: A Three-Layer Probabilistic Assume-Guarantee Architecture Is Structurally Required for Safe LLM Agent Deployment","primary_cat":"cs.AI","submitted_at":"2026-05-18T17:13:41+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"A three-layer probabilistic assume-guarantee architecture is structurally required for safe LLM agent deployment.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.17830","ref_index":17,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Remembering More, Risking More: Longitudinal Safety Risks in Memory-Equipped LLM Agents","primary_cat":"cs.AI","submitted_at":"2026-05-18T04:06:34+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Memory-equipped LLM agents exhibit increasing safety violation rates as memory accumulates across independent tasks, termed temporal memory contamination, detected via a new trigger-probe protocol.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.16471","ref_index":76,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"From AI-Generated Content to Agentic Action: Security and Safety Threats in Generative AI","primary_cat":"cs.CR","submitted_at":"2026-05-15T13:53:02+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":3.0,"formal_verification":"none","one_line_summary":"The paper analyzes evolving security and safety threats in generative AI from content generation to agentic actions, noting that attack surfaces expand faster than defenses and that many safeguards require institutional coordination not yet in place.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"example, StateFlow [137] uses finite state machines for workflow sequencing. Extending runtime verification across delegated actions, shared context, and multi-agent boundaries remains difficult, especially under adaptive adversaries. The difficulty is not only engineering complexity but a mismatch in execution assumptions. Emerging agent abstractions such as AIOS [76] and LangGraph organize execution through scheduler, syscall, and state-graph metaphors borrowed from deterministic computing. These abstractions are useful for workflow control, but they do not yield security guarantees. Formal constraint frameworks such as Formal-LLM [70], which use pushdown automata to enforce valid planning, target functional correctness rather than adversarial robustness."},{"citing_arxiv_id":"2605.22842","ref_index":19,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"The Misattribution Gap: When Memory Poisoning Looks Like Model Failure in Agentic AI Systems","primary_cat":"cs.CR","submitted_at":"2026-05-12T20:21:47+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"Memory poisoning via lost-provenance documents in agent memory stores creates agent misconduct that safety systems misattribute to model failure; the paper defines Semantic Norm Drift, releases a benchmark, and proposes a new testing method plus a defense.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.08460","ref_index":49,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"When Child Inherits: Modeling and Exploiting Subagent Spawn in Multi-Agent Networks","primary_cat":"cs.CR","submitted_at":"2026-05-08T20:27:23+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Multi-agent LLM frameworks can spread compromises across agent boundaries via insecure memory inheritance during subagent spawning.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"safety, and Lee and Tiwari [45] demonstrated LLM-to-LLM propagation. Lupinacci et al. [46] reported 100% compliance with malicious peer-agent requests even on models that resist identical direct injection, identifying inter-agent trust as a critical blind spot. Triedman et al. [47] framed related failures as theconfused deputyproblem [48]. Yu et al. [49] and He et al. [50] study topological propagation, Shapira et al. [3] document chaotic failure modes, and Lynch et al. [7] examine agents as insider threats. Our work differs by focusing on framework-level rather than model-level propagation, and by formalizing each channel as a violation of an explicit structural invariant rather than treating each attack as a point finding."},{"citing_arxiv_id":"2605.01186","ref_index":14,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Trace: Unmasking AI Attack Agents Through Terminal Behavior Fingerprinting","primary_cat":"cs.CR","submitted_at":"2026-05-02T01:27:20+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Trace fingerprints AI penetration testing agents from terminal command sequences to identify model families and extracts their system prompts via targeted defensive prompt injection.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.08608","ref_index":4,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Semantic Intent Fragmentation: A Single-Shot Compositional Attack on Multi-Agent AI Pipelines","primary_cat":"cs.CR","submitted_at":"2026-04-08T18:19:03+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"A single legitimate request can cause LLM orchestrators to output plans that violate security policies through the composition of benign subtasks, bypassing subtask-level checks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2603.04474","ref_index":33,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"From Spark to Fire: Modeling and Mitigating Error Cascades in LLM-Based Multi-Agent Collaboration","primary_cat":"cs.MA","submitted_at":"2026-03-04T11:45:27+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"A graph-based propagation model for error cascades in LLM multi-agent systems plus a genealogy-graph governance plugin that prevents final infection in at least 89% of runs across tested frameworks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2510.23883","ref_index":40,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges","primary_cat":"cs.AI","submitted_at":"2025-10-27T21:48:11+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"A survey that taxonomizes threats to agentic AI, reviews benchmarks and evaluation methods, discusses technical and governance defenses, and identifies open challenges.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"base LLMs [36], while others are novel and occur due to the unique landscape ofagent-agentinteractions.Prompt injection attacksremains a critical LLM vulnerability, permitting adversaries to manipulate agent behavior through crafted inputs [37-39]. Lupinacci et al. demonstrated that 94.4% of state-of-the-art LLM agents are vulnerable to prompt injection, 83.3% to retrieval-based backdoors, and 100% to inter-agent trust exploits [40]. Further, researchers at Anthropic observed that generative models, when given directive autonomy, engaged in misaligned behaviors such as blackmail or corporate espionage to fulfill goals, even when those behaviors diverged from human ethical standards [41]. It is evident that these security vulnerabilities can result in highly adverse consequences for some of the proposed"}],"limit":50,"offset":0}