Pith. sign in

REVIEW 24 cited by

Design Patterns for Securing LLM Agents against Prompt Injections

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2506.08837 v3 pith:6KPSY3BG submitted 2025-06-10 cs.LG cs.CR

Design Patterns for Securing LLM Agents against Prompt Injections

classification cs.LG cs.CR
keywords agentspatternspromptbecomedesigninjectionlanguagesecurity
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

As AI agents powered by Large Language Models (LLMs) become increasingly versatile and capable of addressing a broad spectrum of tasks, ensuring their security has become a critical challenge. Among the most pressing threats are prompt injection attacks, which exploit the agent's resilience on natural language inputs -- an especially dangerous threat when agents are granted tool access or handle sensitive information. In this work, we propose a set of principled design patterns for building AI agents with provable resistance to prompt injection. We systematically analyze these patterns, discuss their trade-offs in terms of utility and security, and illustrate their real-world applicability through a series of case studies.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 24 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration

    cs.CR 2026-05 unverdicted novelty 8.0

    Trojan Hippo attacks on LLM agent memory achieve 85-100% success rates in data exfiltration across four memory backends even after 100 benign sessions, while evaluated defenses reduce success rates but impose varying ...

  2. Prismata: Confining Cross-Site Prompt Injection in Web Agents

    cs.CR 2026-07 conditional novelty 7.5

    Prismata cuts web-agent prompt-injection attack success from 85.5% to 0.7% via Biba-inspired DOM trust labeling and mechanical least-privilege confinement without site annotations.

  3. Beyond Self-Resolution: Settlement Factorization for Robust Natural Language Mechanism

    cs.GT 2026-07 accept novelty 7.5

    Settlement factorization is a normal form: every mechanism admits a ghost-reference label with leakage ε within factor two of optimal, and truthful margins degrade by at most the tight constant 2Lε.

  4. Agent Data Injection Attacks are Realistic Threats to AI Agents

    cs.CR 2026-07 accept novelty 7.0

    Agent data injection (ADI) forges trusted agent metadata via probabilistic delimiter injection and bypasses defenses built only for instruction injection.

  5. Data Flow Control: Data Safety Policies for AI Agents

    cs.DB 2026-06 unverdicted novelty 7.0

    Data Flow Control formalizes data safety as aggregate predicates over provenance monomials and implements enforcement via the Passant query rewriting layer achieving near-zero overhead across five DBMS engines.

  6. What You Approve Is What Executes: Consent Integrity for Black-Box LLM Agents

    cs.CR 2026-06 unverdicted novelty 7.0

    The paper introduces Consent Integrity as the property that actions shown for approval must be rendered by a trusted mediator from the real boundary action over an unspoofable path and bound to execution, with uninspe...

  7. IPI-proxy: An Intercepting Proxy for Red-Teaming Web-Browsing AI Agents Against Indirect Prompt Injection

    cs.CR 2026-05 unverdicted novelty 7.0

    IPI-proxy is a toolkit using an intercepting proxy to inject indirect prompt injection attacks into live web pages for testing AI browsing agents against hidden instructions.

  8. LogJack: Indirect Prompt Injection Through Cloud Logs Against LLM Debugging Agents

    cs.CR 2026-04 conditional novelty 7.0

    LogJack shows indirect prompt injection via cloud logs succeeds in making LLM agents execute remote code on 6 of 8 models, with most cloud guardrails failing to detect the attacks.

  9. Prompt Injection Attack to Tool Selection in LLM Agents

    cs.CR 2025-04 conditional novelty 7.0

    ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.

  10. Janus: a Playground for User-Involved Agentic Permission Management

    cs.AI 2026-07 unverdicted novelty 6.0

    Janus is a publicly available playground system and evaluation harness for testing user-involved permission management designs in AI agents, demonstrating benefits of user input and the need for context-sensitive approaches.

  11. GIF: Locally Sound Geometric Information Flow Control for LLMs

    cs.AI 2026-06 unverdicted novelty 6.0

    GIF introduces a Jacobian-based upper bound on input-output mutual information in LLMs with formal Lean proof and strong empirical recall on injection and leakage benchmarks.

  12. Game-Theoretic Multi-Agent Control for Robust Contextual Reasoning in LLMs

    cs.CR 2026-06 unverdicted novelty 6.0

    GT-MCP coordinates three LLM agents via a trust function and rollback to bound contextual drift and block adversarial injections in multi-turn interactions.

  13. Web Agents Should Adopt the Plan-Then-Execute Paradigm

    cs.CR 2026-05 unverdicted novelty 6.0

    Web agents should default to planning a complete task program before observing live web content to reduce prompt injection exposure, since WebArena tasks are compatible and 80% need no runtime LLM calls.

  14. Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration

    cs.CR 2026-05 unverdicted novelty 6.0

    The paper defines and evaluates Trojan Hippo attacks on LLM agent memory, showing 85-100% success in data exfiltration across backends and reduced rates with defenses at varying utility costs.

  15. Alignment Contracts for Agentic Security Systems

    cs.CR 2026-04 conditional novelty 6.0 full

    Alignment contracts define scope, allowed effects, budgets and disclosure rules as safety properties over finite effect traces, with decidable admissibility, refinement rules, and Lean-verified soundness under an obse...

  16. Tracking Capabilities for Safer Agents

    cs.AI 2026-03 unverdicted novelty 6.0

    AI agents can generate code in a capability-safe Scala dialect that statically prevents information leakage and malicious side effects while preserving task performance.

  17. Semantic Attacks on Tool-Augmented LLMs: Securing the Model Context Protocol Against Descriptor-Level Manipulation

    cs.CR 2025-12 unverdicted novelty 6.0

    Descriptor-level manipulation in the Model Context Protocol can drive LLMs to unsafe tool selections in up to 36% of cases; a layered defense of integrity checks, auxiliary-LLM vetting, and runtime guardrails reduces ...

  18. Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents

    cs.CR 2026-06 unverdicted novelty 5.0

    A data-centric survey finds that only information-flow control covers compositional and cross-session leakage in LLM agents and that no single benchmark tests an agent across all its data surfaces under one policy.

  19. Adaptive Evaluation of Out-of-Band Defenses Against Prompt Injection in LLM Agents

    cs.CR 2026-06 unverdicted novelty 5.0

    An independent reproduction on AgentDojo with Qwen2.5-7B finds that the Progent out-of-band defense reduces mean attack success from 25.8% to 4.2% and holds against a hand-crafted adaptive attack at 2.6%.

  20. Lingering Authority: Revocable Resource-and-Effect Capabilities for Coding Agents

    cs.CR 2026-06 unverdicted novelty 5.0

    PORTICO is a revocable capability reference monitor for coding agents that enforces task contracts via grant-invoke-closure lifecycles and rejects post-closure reuses while preserving task success.

  21. The Insurability Frontier of AI Risk: Mapping Threats to Affirmative Coverage, Silent Exposures, and Exclusions

    q-fin.RM 2026-05 unverdicted novelty 5.0

    The paper codes AI threats from OWASP/MITRE catalogs against public insurance materials to delineate a four-tier insurability frontier separating affirmative coverage, silent exposures, exclusions, and uninsurable perils.

  22. Agentic-J: An AI Agent for Biological Microscopy Image Analysis

    cs.MA 2026-06 unverdicted novelty 4.0

    Agentic-J is a multi-agent AI assistant that converts natural language descriptions of biological image analysis tasks into executable, reproducible scripts for ImageJ/Fiji with specialised sub-agents for plugin manag...

  23. Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges

    cs.AI 2025-10 unverdicted novelty 4.0

    A survey that taxonomizes threats to agentic AI, reviews benchmarks and evaluation methods, discusses technical and governance defenses, and identifies open challenges.

  24. Toward Secure LLM Agents: Threat Surfaces, Attacks, Defenses, and Evaluation

    cs.CR 2026-06 unverdicted novelty 3.0

    A synthesis of 247 papers on LLM agent security identifies prompt injection and tool hijacking as dominant threats, notes weakly compositional defenses, and argues for trust boundaries and realistic evaluations.