{"total":15,"items":[{"citing_arxiv_id":"2605.28071","ref_index":22,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"AgentGuard: An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent","primary_cat":"cs.CR","submitted_at":"2026-05-27T07:28:39+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"AgentGuard is an ABAC framework for tool-use LLM agents with lightweight client integration and three server-side inspection mechanisms for single-tool and cross-tool risks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.26497","ref_index":23,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Aligning Provenance with Authorization: A Dual-Graph Defense for LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-05-26T03:20:23+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"AuthGraph aligns an execution provenance graph with a clean authorization graph to detect parameter-source deviations from user intent, reducing attack success rates to 1-2% on AgentDojo and AgentDyn while retaining most task utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.16630","ref_index":27,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"PrivScope: Task-scoped Disclosure Control for Hybrid Agentic Systems","primary_cat":"cs.CR","submitted_at":"2026-05-15T20:53:22+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"PrivScope enforces task-scoped disclosure at the local-cloud boundary in hybrid agents, eliminating profile leakage and halving re-identification risk on medical workflows while preserving task success.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.11770","ref_index":37,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Behavioral Integrity Verification for AI Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-05-12T08:41:09+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"BIV audits AI agent skills at scale, finding 80% deviate from declared behavior on 49,943 skills and achieving 0.946 F1 for malicious skill detection.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Tontchev, Qing Hu, Brian Fuller, Davide Testuggine, and Madian Khabsa. Llama Guard: LLM-based input-output safeguard for human-AI conversations, 2023. [36] Wenkai Yang, Xiaohan Bi, Yankai Lin, Sishuo Chen, Jie Zhou, and Xu Sun. Watch out for your agents! investigating backdoor threats to LLM-based agents. InAdvances in Neural Information Processing Systems (NeurIPS), 2024. [37] Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal. IsolateGPT: An execu- tion isolation architecture for LLM-based agentic systems. InNetwork and Distributed System Security Symposium (NDSS), 2025. arXiv preprint arXiv:2403.04960; originally titled SecGPT. [38] Alexander Robey, Eric Wong, Hamed Hassani, and George J. Pappas."},{"citing_arxiv_id":"2605.11360","ref_index":54,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Options, Not Clicks: Lattice Refinement for Consent-Driven MCP Authorization","primary_cat":"cs.CR","submitted_at":"2026-05-12T00:25:56+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"Conleash uses a risk lattice, policy engine, and refinement loop to deliver scoped, consent-driven authorization for MCP tool calls, reaching 98.2% accuracy and 99.4% escalation catch rate on 984 traces with 8.2 ms overhead and higher user preference in a 16-person study.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.03378","ref_index":149,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-05-05T05:37:00+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ARGUS defends LLM agents from context-aware prompt injections by tracking information provenance and verifying decisions against trustworthy evidence, reducing attack success to 3.8% while retaining 87.5% task utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.00314","ref_index":44,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Semia: Auditing Agent Skills via Constraint-Guided Representation Synthesis","primary_cat":"cs.CR","submitted_at":"2026-05-01T00:48:47+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Semia synthesizes Datalog representations of agent skills via constraint-guided loops to enable reachability queries for semantic risks, finding critical issues in over half of 13,728 real skills with 97.7% recall on expert-labeled samples.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"ToolSword: Unveiling Safety Issues of Large Language Models in Tool Learning Across Three Stages. In Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), Lun-Wei Ku, Andre Martins, and Vivek Srikumar (Eds.). Association for Computational Linguistics, Bangkok, Thailand, 2181-2211. doi:10.18653/v1/2024.acl-long.119 [44] Zenity Labs. 2025. EchoLeak: A Reminder That AI Agent Risks Are Here to Stay. https://labs.zenity.io/p/echoleak-a-reminder-that-ai-agent-risks-are-here- to-stay-3cf3. Online. [45] Qiusi Zhan, Zhixiang Liang, Zifan Ying, and Daniel Kang. 2024. InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents. arXiv:2403."},{"citing_arxiv_id":"2604.18231","ref_index":58,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"AgenTEE: Confidential LLM Agent Execution on Edge Devices","primary_cat":"cs.CR","submitted_at":"2026-04-20T13:13:31+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"AgenTEE isolates LLM agent runtime, inference, and apps in independently attested cVMs on Arm-based edge devices, achieving under 5.15% overhead versus commodity OS deployments.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.12986","ref_index":49,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Parallax: Why AI Agents That Think Must Never Act","primary_cat":"cs.CR","submitted_at":"2026-04-14T17:20:48+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Parallax enforces structural separation between AI thinking and acting via independent multi-tier validation, information flow control, and state rollback, blocking 98.9% of 280 adversarial attacks with zero false positives even when the reasoning system is fully compromised.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.06284","ref_index":19,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"ClawLess: A Security Model of AI Agents","primary_cat":"cs.CR","submitted_at":"2026-04-07T12:19:55+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"ClawLess introduces a formal fine-grained security model for AI agents with runtime-adaptive policies enforced via user-space kernel and BPF syscall interception.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2512.01594","ref_index":23,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"CAEC: Confidential, Attestable, and Efficient Inter-CVM Communication with Arm CCA","primary_cat":"cs.CR","submitted_at":"2025-12-01T12:10:43+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"CAEC adds confidential shared memory to Arm CCA, cutting inter-CVM communication cost by up to 209x versus encryption through hypervisor-visible memory while preserving isolation and adding attestable sharing.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2506.04565","ref_index":198,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"From Standalone LLMs to Integrated Intelligence: A Survey of Compound Al Systems","primary_cat":"cs.MA","submitted_at":"2025-06-05T02:34:43+00:00","verdict":"ACCEPT","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"A survey that defines Compound AI Systems, proposes a multi-dimensional taxonomy based on component roles and orchestration strategies, reviews four foundational paradigms, and identifies key challenges for future research.","context_count":1,"top_context_role":"dataset","top_context_polarity":"use_dataset","context_text":"Objective Layer AI Fairness 360 [8] Fairness-specific metrics LLM Agent Role-Playing RoleLLM [184], AgentBench [ 101] , AgentBoard [108] Role-Consistency Score, Self- Correction Rate Interactive Reason- ing AgentQuest [49], InfiAgent-DABench [58], CriticBench [94] Reasoning Trace Accuracy, Gener- alization Score Tool Use ML-Bench [166], Berkeley Function Calling Leaderboard [198] Tool Call Accuracy, Token Effi- ciency Manuscript submitted to ACM 26 Chen et al. API Response Time, Cache Hit Rate), and the Objective Layer (alignment with goals: fairness metrics). Representative benchmarks for each layer are provided in Table 1. These benchmarks and datasets collectively form a framework for evaluating modern AI systems, spanning RAG,"},{"citing_arxiv_id":"2410.20791","ref_index":113,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"From Cool Demos to Production-Ready FMware: Core Challenges and a Technology Roadmap","primary_cat":"cs.SE","submitted_at":"2024-10-28T07:16:00+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"A semi-structured thematic synthesis identifies core challenges in FM selection, alignment, prompting, orchestration, testing, deployment, and cross-cutting concerns like observability for production-ready FMware.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2406.13352","ref_index":66,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","primary_cat":"cs.CR","submitted_at":"2024-06-19T08:55:56+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"AgentDojo introduces an extensible evaluation framework populated with realistic agent tasks and security test cases to measure prompt injection robustness in tool-using LLM agents.","context_count":1,"top_context_role":"method","top_context_polarity":"use_method","context_text":"https://simonwillison.net/2023/Apr/25/dual-llm-pattern/. 2023. [64] Simon Willison. You can't solve AI security problems with more AI. https://simonwillison. net/2022/Sep/17/prompt-injection-more-ai/ . 2022. [65] Michael Wooldridge and Nicholas R Jennings. \"Intelligent agents: Theory and practice\". In: The knowledge engineering review 10.2 (1995), pp. 115-152. [66] Yuhao Wu, Franziska Roesner, Tadayoshi Kohno, Ning Zhang, and Umar Iqbal. \"SecGPT: An execution isolation architecture for LLM-based systems\". In:arXiv preprint arXiv:2403.04960 (2024). [67] Fanjia Yan, Huanzhi Mao, Charlie Cheng-Jie Ji, Tianjun Zhang, Shishir G. Patil, Ion Stoica, and Joseph E. Gonzalez. Berkeley Function Calling Leaderboard . https://gorilla."},{"citing_arxiv_id":"2402.06922","ref_index":41,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Whispers in the Machine: Confidentiality in Agentic Systems","primary_cat":"cs.CR","submitted_at":"2024-02-10T11:07:24+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Systematic testing of ten LLM agents across 20 tool scenarios and 14 attacks finds universal vulnerability to prompt injection enabling data exfiltration, with tooling amplifying leakage.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null}],"limit":50,"offset":0}