{"total":28,"items":[{"citing_arxiv_id":"2605.17986","ref_index":28,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"LivePI: More Realistic Benchmarking of Agents Against Indirect Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-05-18T07:41:35+00:00","verdict":null,"verdict_confidence":null,"novelty_score":null,"formal_verification":null,"one_line_summary":null,"context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.12233","ref_index":20,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"No More, No Less: Task Alignment in Terminal Agents","primary_cat":"cs.LG","submitted_at":"2026-05-12T15:06:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The TAB benchmark reveals that frontier terminal agents achieve high task completion but low selective alignment with relevant environmental cues over distractors, and prompt-injection defenses block both.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.11868","ref_index":15,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"IPI-proxy: An Intercepting Proxy for Red-Teaming Web-Browsing AI Agents Against Indirect Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-05-12T09:48:53+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"IPI-proxy is a toolkit using an intercepting proxy to inject indirect prompt injection attacks into live web pages for testing AI browsing agents against hidden instructions.","context_count":1,"top_context_role":"background","top_context_polarity":"support","context_text":"are evaluation suites, not deployable testing infrastructure: their adversarial pages are designed to be loaded by the agent under test, which presupposes that the agent can reach attacker-hosted URLs. 2 of 8 IPI-proxy 2.3 Defence Techniques Defenses proposed against IPI fall into three broad categories.Input transformation approaches such as Microsoft Spotlighting [15] delimit, datamark, or encode untrusted text so the LLM treats it as data rather than instruction. Training-time approaches reshape the model itself: StruQ [ 16] fine-tunes the model on structured queries that separate prompt from data, and SecAlign [ 17] uses preference optimization to reward injection-robust completions. Architectural approaches confine the privileged capability surface"},{"citing_arxiv_id":"2605.11229","ref_index":13,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Comment and Control: Hijacking Agentic Workflows via Context-Grounded Evolution","primary_cat":"cs.CR","submitted_at":"2026-05-11T20:45:31+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"JAW uses hybrid program analysis to evolve inputs that hijack agentic workflows, successfully compromising 4714 GitHub workflows and eight n8n templates to enable actions like credential exfiltration.","context_count":1,"top_context_role":"other","top_context_polarity":"unclear","context_text":"com/google-github- actions/run-gemini-cli, 2025. GitHub repository, accessed 2026-04-22. [12] Greshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., and Fritz, M.Not what you've signed up for: Compromising real-world llm-integrated applications with indirect prompt injection.Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security(2023). [13] He, P., Li, C., Zhao, B., Du, T., and Ji, S.Automatic red teaming llm-based agents with model context protocol tools, 2025. [14] Hines, K., Lopez, G., Hall, M., Zarfati, F., Zunger, Y., and Kiciman, E.De- fending against indirect prompt injection attacks with spotlighting.ArXiv abs/2403.14720(2024). [15] Jiang, W., W ang, Z., Zhai, J., Ma, S., Zhao, Z."},{"citing_arxiv_id":"2605.11026","ref_index":6,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"AgentShield: Deception-based Compromise Detection for Tool-using LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-05-10T20:08:27+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"AgentShield uses layered deception traps in LLM agent tool interfaces to detect indirect prompt injection compromises with 90.7-100% success on commercial models, zero false positives, and cross-lingual transfer without retraining.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.09033","ref_index":43,"ref_count":3,"confidence":0.98,"is_internal_anchor":true,"paper_title":"ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts","primary_cat":"cs.CR","submitted_at":"2026-05-09T16:16:41+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"ShadowMerge exploits relation-channel conflicts to poison graph-based agent memory, achieving 93.8% average attack success rate on Mem0 and real-world datasets while bypassing existing defenses.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"The result leaves macro ASR unchanged on the selected subset because semantic-preserving rewriting often retains the anchor, relation channel, and conflicting value required by CARC. This suggests that transformations operating only on the submitted text are unlikely to be sufficient when they preserve the relation that the graph builder later extracts [42], [43], [44], [45], [46]. More aggressive transformations may reduce materialization or retrieval, but they also risk degrading benign memory utility because graph memory relies on the same entities and relation values for personalization and recall [6], [7], [14]. Implications for graph-memory defenses.A more direct defense point is the relation layer. The materialization-merge-"},{"citing_arxiv_id":"2605.05969","ref_index":25,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Heimdallr: Characterizing and Detecting LLM-Induced Security Risks in GitHub CI Workflows","primary_cat":"cs.CR","submitted_at":"2026-05-07T10:16:26+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Heimdallr detects LLM-induced security risks in GitHub CI workflows by normalizing them into an LLM-Workflow Property Graph and combining triggerability analysis with LLM-assisted dataflow summarization, achieving over 0.91 F1 on threat detection in evaluation.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.03378","ref_index":131,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-05-05T05:37:00+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ARGUS defends LLM agents from context-aware prompt injections by tracking information provenance and verifying decisions against trustworthy evidence, reducing attack success to 3.8% while retaining 87.5% task utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.01970","ref_index":34,"ref_count":2,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration","primary_cat":"cs.CR","submitted_at":"2026-05-03T17:07:20+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"The paper defines and evaluates Trojan Hippo attacks on LLM agent memory, showing 85-100% success in data exfiltration across backends and reduced rates with defenses at varying utility costs.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"tory is kept in the context window and, when the maximum context window of the agent's LLM is exceeded, the oldest tokens are trun- cated from the start so that the most recent tokens are retained. There is no separate memory store: retrieval is implicit, determined entirely by what fits in context. This models agents that rely solely on in-context history with no dedicated long-term persistence [37], and serves as the baseline memory model. RAG (retrieval-augmented generation).Agent conversation traces (user and assistant messages) are split into fixed-size chunks (512 characters by default [12]), embedded, and stored in a vector index. At each turn, the current user message is used as a query; the top-8 most semantically similar chunks are retrieved and prepended"},{"citing_arxiv_id":"2605.01644","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Toward a Principled Framework for Agent Safety Measurement","primary_cat":"cs.CR","submitted_at":"2026-05-02T23:34:32+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"BOA uses budgeted search over agent trajectories to report the probability an LLM agent stays safe, finding unsafe paths that sampling misses.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.00314","ref_index":13,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Semia: Auditing Agent Skills via Constraint-Guided Representation Synthesis","primary_cat":"cs.CR","submitted_at":"2026-05-01T00:48:47+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Semia synthesizes Datalog representations of agent skills via constraint-guided loops to enable reachability queries for semantic risks, finding critical issues in over half of 13,728 real skills with 97.7% recall on expert-labeled samples.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Benchmarks quantify the threat at scale: InjecAgent [45] (1,054 IPI test cases), AgentDojo [7] (97 tasks, 629 security tests), and Agent Security Bench [46] (400+ tools, up to 84% attack success). Defensive mechanisms operate primarily at runtime. StruQ [4] enforces instruction-data separation via structured queries and specialized model fine-tuning, Spotlighting [13] introduces delim- iting and encoding transformations to make untrusted content distinguishable, and DataSentinel [23] applies game-theoretic per- turbation for prompt injection detection. However, all three depend on the LLM's probabilistic interpretation at inference time.Semia shifts the audit boundary to pre-deployment, lifting skills into SDL"},{"citing_arxiv_id":"2604.24118","ref_index":3,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"AgentVisor: Defending LLM Agents Against Prompt Injection via Semantic Virtualization","primary_cat":"cs.CR","submitted_at":"2026-04-27T07:12:52+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"AgentVisor cuts prompt injection success rate to 0.65% in LLM agents with only 1.45% utility loss via semantic privilege separation and one-shot self-correction.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.23887","ref_index":10,"ref_count":2,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Evaluation of Prompt Injection Defenses in Large Language Models","primary_cat":"cs.CR","submitted_at":"2026-04-26T21:22:35+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"Only output filtering with hardcoded rules in application code prevented prompt injection leaks in LLMs, as all model-based defenses were defeated by an adaptive attacker.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.23711","ref_index":4,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Spore: Efficient and Training-Free Privacy Extraction Attack on LLMs via Inference-Time Hybrid Probing","primary_cat":"cs.CR","submitted_at":"2026-04-26T13:54:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Spore extracts private data from LLM memory with one query in black-box mode or ranked tokens in gray-box, outperforming prior attacks while bypassing defenses.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.19657","ref_index":24,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"An AI Agent Execution Environment to Safeguard User Data","primary_cat":"cs.CR","submitted_at":"2026-04-21T16:45:30+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"GAAP guarantees confidentiality of private user data for AI agents by enforcing user-specified permissions deterministically through persistent information flow tracking, without trusting the agent or requiring attack-free models.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"com/blog/practical-security-guidance- for-sandboxing-agentic-workflows-and-managing-execution-risk/ [23] Keegan Hines, Gary Lopez, Matthew Hall, Federico Zarfati, Yonatan Zunger, and Emre Kiciman. 2024. Defending Against Indirect Prompt Injection Attacks With Spotlighting.arXiv(2024). arXiv:2403.14720 https://api.semanticscholar.org/CorpusID:268667111 [24] Hakan Inan, Kartikeya Upasani, Jianfeng Chi, Rashi Rungta, Krithika Iyer, Yuning Mao, Michael Tontchev, Qing Hu, Brian Fuller, Davide Testuggine, and Madian Khabsa. 2023. Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations.arXiv(2023). arXiv:2312.06674 [cs.CL]https://arxiv.org/abs/2312.06674 [25] Dennis Jacob, Emad Alghamdi, Zhanhao Hu, Basel Alomair, and David"},{"citing_arxiv_id":"2604.18874","ref_index":38,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"How Adversarial Environments Mislead Agentic AI?","primary_cat":"cs.AI","submitted_at":"2026-04-20T21:53:39+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Adversarial compromise of tool outputs misleads agentic AI via breadth and depth attacks, revealing that epistemic and navigational robustness are distinct and often trade off against each other.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.18248","ref_index":8,"ref_count":2,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Beyond Pattern Matching: Seven Cross-Domain Techniques for Prompt Injection Detection","primary_cat":"cs.CR","submitted_at":"2026-04-20T13:27:05+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The work introduces and partially evaluates seven cross-domain prompt injection detectors, reporting F1 gains on benchmarks like deepset/prompt-injections and indirect-injection sets via local alignment, stylometry, and fatigue tracking.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.17842","ref_index":28,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"QuickScope: Certifying Hard Questions in Dynamic LLM Benchmarks","primary_cat":"cs.CL","submitted_at":"2026-04-20T05:51:50+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"QuickScope uses modified COUP Bayesian optimization to find truly difficult questions in dynamic LLM benchmarks more sample-efficiently than baselines while cutting false positives.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.04035","ref_index":13,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Causality Laundering: Denial-Feedback Leakage in Tool-Calling LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-04-05T09:28:51+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The paper defines causality laundering as an attack leaking information from denial outcomes in LLM tool calls and proposes the Agentic Reference Monitor to block it using denial-aware provenance graphs.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Safe [19] provides step-level pre-execution safety detection. AgentGuardian [1] learns context- aware access-control policies from execution traces. PRISM [18] provides a defense-in-depth runtime layer for deployable agent gateways, and OPP [33] proposes protocol-level governance 18 for agent-to-tool communication. At the prompt level, Spotlighting [13] and instruction hi- erarchy [28] harden the LLM against prompt injection, while NeMo Guardrails [20] provides configurable input/output filtering. These are complementary to ARM: they reduce injection probability or restrict tool access, while ARM limits damage when injection succeeds by enforc- ing provenance invariants at the execution boundary."},{"citing_arxiv_id":"2603.28013","ref_index":9,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers","primary_cat":"cs.CR","submitted_at":"2026-03-30T04:07:18+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Stage-level tracking of prompt injection reveals that write-node placement and model-specific behaviors determine attack outcomes more than initial exposure in LLM pipelines.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.06669","ref_index":10,"ref_count":2,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Evaluating Prompt Injection Defenses for Educational LLM Tutors: Security-Usability-Latency Trade-offs","primary_cat":"cs.CR","submitted_at":"2026-03-29T18:52:01+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"A domain-specific multi-layer safeguard for educational LLM tutors achieves zero false positives on benign tasks while providing measurable resistance to prompt injection, with explicit trade-offs versus existing guardrails on latency and attack bypass.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2603.12230","ref_index":17,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Security Considerations for Artificial Intelligence Agents","primary_cat":"cs.LG","submitted_at":"2026-03-12T17:49:39+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":3.0,"formal_verification":"none","one_line_summary":"Frontier AI agents introduce new confidentiality, integrity, and availability risks through changed assumptions on code-data separation and authority boundaries, requiring layered defenses like sandboxing and policy enforcement.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2509.22830","ref_index":3,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"ChatInject: Abusing Chat Templates for Prompt Injection in LLM Agents","primary_cat":"cs.CL","submitted_at":"2025-09-26T18:38:07+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ChatInject exploits LLM chat template structures to boost indirect prompt injection success rates on agents from ~5-15% to 32-52% across benchmarks, with multi-turn persuasion variants performing best.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2506.17299","ref_index":13,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Toward Principled LLM Safety Testing: Solving the Jailbreak Oracle Problem","primary_cat":"cs.CR","submitted_at":"2025-06-17T20:37:29+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Formalizes the jailbreak oracle problem for LLMs and introduces Boa, a two-phase breadth-first then depth-first search system to solve it efficiently.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2504.20472","ref_index":16,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Robustness via Referencing: Defending against Prompt Injection Attacks by Referencing the Executed Instruction","primary_cat":"cs.CR","submitted_at":"2025-04-29T07:13:53+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"The method prompts LLMs to output both answers and references to the executed instructions, then filters out any answers not linked to the original input instructions, reducing attack success rates to zero in tested scenarios while preserving utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2504.11703","ref_index":25,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Progent: Securing AI Agents with Privilege Control","primary_cat":"cs.CR","submitted_at":"2025-04-16T01:58:40+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Progent introduces a privilege-control framework for AI agents that uses LLM-generated symbolic rules over tools, SMT-solver-enforced monotonic updates, and deterministic checks to reduce attack success rates on AgentDojo and ASB benchmarks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2410.07283","ref_index":60,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2406.13352","ref_index":19,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents","primary_cat":"cs.CR","submitted_at":"2024-06-19T08:55:56+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"AgentDojo introduces an extensible evaluation framework populated with realistic agent tasks and security test cases to measure prompt injection robustness in tool-using LLM agents.","context_count":1,"top_context_role":"method","top_context_polarity":"use_method","context_text":"3 Prompt Injection Defenses So far, we have evaluated LLM agents that were not specifically designed to resist prompt injections (beyond built-in defenses that may be present in closed models). We now evaluate GPT-4o enhanced with a variety of defenses proposed in the literature against our strongest attack: (i) Data delimiters, where following Hines et al. [19] we format all tool outputs with special delimiters, and prompt the model to ignore instructions within these (prompt in Figure 17), (ii) Prompt injection detection which uses a BERT classifier from ProtectAI [45] trained to detect prompt injection on each tool call output, and aborts the agent if anything has been detected, (iii) Prompt sandwiching [30] which repeats"}],"limit":50,"offset":0}