arxiv: 2605.07135 · v1 · submitted 2026-05-08 · 💻 cs.CR

Recognition: no theorem link

Demystifying and Detecting Agentic Workflow Injection Vulnerabilities in GitHub Actions

Shenao Wang , Xinyi Hou , Zhao Liu , Yanjie Zhao , Xiao Cheng , Quanchen Zou , Xiangzheng Zhang , Haoyu Wang

Authors on Pith no claims yet

Pith reviewed 2026-05-11 02:00 UTC · model grok-4.3

classification 💻 cs.CR

keywords Agentic Workflow InjectionGitHub ActionsPrompt InjectionTaint AnalysisLLM AgentsVulnerability DetectionCI/CD Security

0 comments

The pith

Untrusted event context can hijack LLM agents in GitHub Actions by reaching their prompts or derived script inputs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Agentic Workflow Injection as a distinct risk in LLM-powered GitHub workflows where content from issues, pull requests, or comments reaches agent inputs and produces unsafe actions. It distinguishes Prompt-to-Agent flows that taint the prompt itself from Prompt-to-Script flows that taint later workflow steps through agent outputs. By characterizing more than a thousand AI-assisted actions the authors derive precise taint rules and build a detector that finds over five hundred candidate flaws in thirteen thousand workflows. Most of these candidates prove exploitable under a realistic threat model, including many previously unreported cases.

Core claim

Agentic Workflow Injection occurs when untrusted GitHub event context such as issue bodies or comments is fed into agent prompts or into scripts that consume agent-derived outputs, enabling attackers to influence tool usage or repository changes. The two core patterns are Prompt-to-Agent injection at the model input boundary and Prompt-to-Script propagation through agent-generated content into security-sensitive workflow operations.

What carries the argument

TaintAWI, a taint analysis tool that applies specifications for prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces to detect flows from untrusted event data to dangerous sinks.

If this is right

Agentic workflows in GitHub Actions are susceptible to injection attacks at scale.
Hundreds of previously unknown vulnerabilities exist in public repositories.
Static taint analysis provides an effective way to identify these issues with high precision.
Responsible disclosure can result in fixes for affected workflows.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar vulnerabilities are likely present in other platforms that combine event triggers with LLM agents.
Workflow developers should avoid directly incorporating external text into agent prompts without sanitization or validation.
Future work could extend the taint specifications to additional agent frameworks or integrate runtime monitoring.

Load-bearing premise

The taint specifications from the sampled AI-assisted actions correctly model all relevant prompt boundaries, output derivations, and agent capabilities without missing critical flows or creating excessive false reports.

What would settle it

An independent manual review of workflows identified by the tool that shows many reported flows cannot actually be exploited by an attacker who controls only GitHub event content.

Figures

Figures reproduced from arXiv: 2605.07135 by Haoyu Wang, Quanchen Zou, Shenao Wang, Xiangzheng Zhang, Xiao Cheng, Xinyi Hou, Yanjie Zhao, Zhao Liu.

**Figure 2.** Figure 2: A simplified motivating example adapted from [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: Overview of TAINTAWI analysis pipeline. conventional source-sink-sanitizer abstraction, we define an AWI taint specification as: T = ⟨Src, Snk, San⟩, where Src denotes attacker-controllable workflow values, Snk denotes security-relevant locations or operations where attacker influence can materialize, and San denotes sanitizers or guards that block exploitability. Table III summarizes representative cate… view at source ↗

**Figure 4.** Figure 4: Agentic Workflow Dependency Graph (AWDG) for the motivating example in [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗

**Figure 5.** Figure 5: AWI taint propagation and vulnerability detection rules. [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗

read the original abstract

GitHub Actions is increasingly used to deploy LLM-based agents for repository-centric tasks such as issue triage, pull-request review, code modification, and release assistance. These agentic workflows extend traditional CI/CD automation with agentic capabilities but also create a new injection surface. In this paper, we introduce Agentic Workflow Injection (AWI), a workflow-level injection flaw where untrusted GitHub event context, such as issue bodies, pull-request descriptions, or comments, is incorporated into agent prompts or agent-consumed inputs and converted into attacker-influenced behavior through agent tools or downstream workflow logic. We identify two core AWI patterns: Prompt-to-Agent (P2A), where untrusted content reaches an agent prompt boundary, and Prompt-to-Script (P2S), where attacker influence propagates through model- or agent-derived outputs into later scripts. We present the first systematic study of AWI in GitHub Actions. We characterize 1,033 real-world AI-assisted actions and extract AWI-specific taint specifications, including prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces. Based on these specifications, we design TaintAWI, a taint-analysis tool that tracks flows from untrusted event context to agent prompt inputs and security-sensitive workflow sinks. Applying TaintAWI to 13,392 real-world agentic workflows from 10,792 repositories, we report 519 potential AWI vulnerabilities, of which 496 are confirmed exploitable under our threat model, yielding a precision of 95.6%. Among them, 343 are previously unknown zero-day vulnerabilities. We prioritized disclosure for 187 zero-day cases, received 26 maintainer responses, and 24 cases have been accepted or fixed at the time of writing.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces Agentic Workflow Injection (AWI) as a new class of vulnerabilities in GitHub Actions workflows that integrate LLM-based agents. It characterizes 1,033 real-world AI-assisted actions to extract taint specifications covering prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces. The authors develop TaintAWI, a taint-analysis tool implementing P2A (Prompt-to-Agent) and P2S (Prompt-to-Script) patterns, and apply it to 13,392 agentic workflows from 10,792 repositories. They report 519 potential AWI vulnerabilities, of which 496 are manually confirmed exploitable (95.6% precision), including 343 previously unknown zero-days; 187 cases were disclosed, yielding 26 maintainer responses and 24 fixes.

Significance. If the taint specifications and confirmation methodology hold, this is a significant empirical contribution to security in LLM-augmented CI/CD systems. The work provides the first large-scale measurement of AWI prevalence, distinguishes two concrete patterns, achieves high precision on flagged cases, and demonstrates impact through responsible disclosure and fixes. Strengths include the real-world dataset, the reusable taint specifications derived from action characterization, and the practical tool that directly led to remediation.

major comments (2)

[§4] §4 (Characterization and taint specification extraction): The AWI-specific taint rules for prompt boundaries, derived outputs, and agentic sinks are extracted from the 1,033 actions, yet the paper provides no reported validation set, coverage metric, or manual audit of completeness. This is load-bearing for the headline counts, because any systematic omission of indirect output channels or access-control entry points would produce false negatives and shrink the 519/496/343 figures reported in §6.
[§6.3] §6.3 (Confirmation and threat model): The 95.6% precision is obtained via manual review of the 519 flagged cases, but the exact decision criteria for 'exploitable under our threat model' (e.g., concrete conditions under which a P2S flow reaches a script sink or an agent tool) are not cross-referenced to the taint specifications. Without these details it is difficult to judge whether edge cases in agent capabilities or multi-step propagations were consistently classified.

minor comments (2)

[Abstract] Abstract: the qualifier 'at the time of writing' for the 24 fixes should be replaced by a concrete date or status table so readers can assess currency.
[§2] §2 (Background): a short glossary or side-by-side comparison of P2A versus P2S would improve readability for readers new to the agentic workflow setting.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments highlight opportunities to improve the transparency of our methodology for taint specification extraction and the confirmation process. We address each major comment below and will incorporate revisions to strengthen the paper.

read point-by-point responses

Referee: [§4] §4 (Characterization and taint specification extraction): The AWI-specific taint rules for prompt boundaries, derived outputs, and agentic sinks are extracted from the 1,033 actions, yet the paper provides no reported validation set, coverage metric, or manual audit of completeness. This is load-bearing for the headline counts, because any systematic omission of indirect output channels or access-control entry points would produce false negatives and shrink the 519/496/343 figures reported in §6.

Authors: We agree that the current presentation of the taint specification extraction process in §4 lacks sufficient detail on validation and completeness assessment. The specifications were obtained through systematic manual review of the source code, documentation, and usage examples of all 1,033 AI-assisted actions, with multiple authors cross-checking rule formulations for prompt boundaries, derived outputs, agentic capabilities, and access-control interfaces. No separate held-out validation set or quantitative coverage metric was computed or reported. In the revised manuscript we will expand §4 with a dedicated subsection describing the extraction methodology, including representative examples of how rules were derived for different action categories, the process used to identify sinks and sources, and an explicit discussion of potential limitations (e.g., missed indirect channels). We will also note that the reported vulnerability counts should be interpreted as lower bounds. These additions directly address the referee's concern about load-bearing assumptions. revision: yes
Referee: [§6.3] §6.3 (Confirmation and threat model): The 95.6% precision is obtained via manual review of the 519 flagged cases, but the exact decision criteria for 'exploitable under our threat model' (e.g., concrete conditions under which a P2S flow reaches a script sink or an agent tool) are not cross-referenced to the taint specifications. Without these details it is difficult to judge whether edge cases in agent capabilities or multi-step propagations were consistently classified.

Authors: We acknowledge that §6.3 would benefit from tighter linkage between the manual confirmation criteria and the taint specifications defined in §4, as well as the threat model. Confirmation of exploitability required that a flagged flow could result in attacker-controlled agent behavior or script execution under the threat model (untrusted GitHub event context reaching prompt boundaries or propagating through derived outputs to sensitive sinks). In the revision we will augment §6.3 with explicit cross-references to the relevant taint rules, provide concrete classification examples for both P2A and P2S patterns (including multi-step propagations and edge cases involving agent tools), and include a summary of the decision checklist used during manual review. This will improve reproducibility and allow readers to assess consistency of the 95.6% precision figure. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical measurement from external data

full rationale

The paper's headline results (519 potential AWI vulnerabilities, 496 confirmed, 343 zero-days) are obtained by running the TaintAWI static analyzer over 13,392 real GitHub workflows drawn from public repositories and then confirming a subset via maintainer disclosure. The taint specifications are derived from a one-time manual characterization of 1,033 separate AI-assisted actions; once extracted they function as fixed rules applied to new workflow data. No equations, fitted parameters, or self-citations are invoked to force the counts, and the precision figure is computed only on the flagged cases after external confirmation. The derivation chain therefore consists of independent external inputs (repository contents and maintainer replies) rather than any reduction of outputs to the paper's own definitions or prior self-citations.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

The central claim rests on the validity of the newly defined AWI patterns and the accuracy of the extracted taint specifications from real-world actions. No numerical parameters are fitted; the approach is rule-based on observed patterns.

axioms (1)

domain assumption Standard taint analysis rules can be adapted to track flows involving LLM agent prompts and derived outputs in GitHub Actions YAML workflows.
The TaintAWI tool is built on this to identify AWI patterns.

invented entities (3)

Agentic Workflow Injection (AWI) no independent evidence
purpose: To categorize the new injection vulnerability in agentic workflows.
Newly defined in this paper as a workflow-level flaw.
Prompt-to-Agent (P2A) no independent evidence
purpose: To name the specific pattern where untrusted content reaches an agent prompt boundary.
Defined here as one of two core AWI patterns.
Prompt-to-Script (P2S) no independent evidence
purpose: To name the specific pattern where attacker influence propagates through model-derived outputs into later scripts.
Defined here as one of two core AWI patterns.

pith-pipeline@v0.9.0 · 5645 in / 1722 out tokens · 61641 ms · 2026-05-11T02:00:49.913030+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

58 extracted references · 58 canonical work pages · 2 internal anchors

[1]

Understanding github actions,

GitHub, “Understanding github actions,” https://docs.github.com/en/ actions/get-started/understand-github-actions, 2026, accessed: 2026-05- 06

work page 2026
[2]

Why do github actions workflows fail? an empirical study,

L. Zheng, S. Li, X. Huang, J. Huang, B. Lin, J. Chen, and J. Xuan, “Why do github actions workflows fail? an empirical study,”ACM Trans. Softw. Eng. Methodol., vol. 35, no. 5, Apr. 2026. [Online]. Available: https://doi.org/10.1145/3749371

work page doi:10.1145/3749371 2026
[3]

codex-action,

OpenAI, “codex-action,” 2026, accessed: 2026-05-06. [Online]. Available: https://github.com/openai/codex-action

work page 2026
[4]

claude-code-action,

Anthropic, “claude-code-action,” 2026, accessed: 2026-05-06. [Online]. Available: https://github.com/anthropics/claude-code-action

work page 2026
[5]

run-gemini-cli,

Google, “run-gemini-cli,” 2026, accessed: 2026-05-06. [Online]. Available: https://github.com/google-github-actions/run-gemini-cli

work page 2026
[6]

Marketplace: Ai assisted actions,

GitHub, “Marketplace: Ai assisted actions,” 2026, accessed: 2026-05-

work page 2026
[7]

Available: https://github.com/marketplace?type=actions& category=ai-assisted

[Online]. Available: https://github.com/marketplace?type=actions& category=ai-assisted

work page
[8]

Github agentic workflows,

——, “Github agentic workflows,” 2026, accessed: 2026-05-06. [Online]. Available: https://github.github.com/gh-aw/

work page 2026
[9]

Promptpwnd: Prompt injection vulnerabilities in github actions using ai agents,

R. Daelman, “Promptpwnd: Prompt injection vulnerabilities in github actions using ai agents,” https://www.aikido.dev/blog/ promptpwnd-github-actions-ai-agents, 2025, accessed: 2026-05-06

work page 2025
[10]

How “clinejection

S. Thoemmes, “How “clinejection” turned an ai bot into a supply chain attack,” https://snyk.io/blog/ cline-supply-chain-attack-prompt-injection-github-actions/, 2026, accessed: 2026-05-06

work page 2026
[11]

Make agent defeat agent: automatic detection of taint-style vulnerabilities in llm-based agents,

F. Liu, Y . Zhang, J. Luo, J. Dai, T. Chen, L. Yuan, Z. Yu, Y . Shi, K. Li, C. Zhou, H. Chen, and M. Yang, “Make agent defeat agent: automatic detection of taint-style vulnerabilities in llm-based agents,” in Proceedings of the 34th USENIX Conference on Security Symposium, ser. SEC ’25. USA: USENIX Association, 2025

work page 2025
[12]

Devanbu, and Michael Pradel

R. Pedro, M. E. Coimbra, D. Castro, P. Carreira, and N. Santos, “ Prompt-to-SQL Injections in LLM-Integrated Web Applications: Risks and Defenses ,” in2025 IEEE/ACM 47th International Conference on Software Engineering (ICSE). Los Alamitos, CA, USA: IEEE Computer Society, May 2025, pp. 76–88. [Online]. Available: https://doi.ieeecomputersociety.org/10.110...

work page doi:10.1109/icse55347.2025.00007 2025
[13]

Taintp2x: Detecting taint-style prompt-to-anything injection vulnerabilities in llm-integrated applications,

J. He, S. Wang, Y . Zhao, X. Hou, Z. Liu, Q. Zou, and H. Wang, “Taintp2x: Detecting taint-style prompt-to-anything injection vulnerabilities in llm-integrated applications,” inProceedings of the IEEE/ACM 48th International Conference on Software Engineering,

work page
[14]

Available: https://doi.org/10.1145/3744916.3773199

[Online]. Available: https://doi.org/10.1145/3744916.3773199

work page doi:10.1145/3744916.3773199
[15]

Demystifying rce vulnerabilities in llm-integrated apps,

T. Liu, Z. Deng, G. Meng, Y . Li, and K. Chen, “Demystifying rce vulnerabilities in llm-integrated apps,” inProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’24. New York, NY , USA: Association for Computing Machinery, 2024, p. 1716–1730. [Online]. Available: https://doi.org/10.1145/3658644.3690338

work page doi:10.1145/3658644.3690338 2024
[16]

Prompt injection attack to tool selection in llm agents.arXiv preprint arXiv:2504.19793, 2025

J. Shi, Z. Yuan, G. Tie, P. Zhou, N. Z. Gong, and L. Sun, “Prompt injection attack to tool selection in LLM agents,”CoRR, vol. abs/2504.19793, 2025. [Online]. Available: https://doi.org/10.48550/ arXiv.2504.19793

work page arXiv 2025
[17]

Script injections,

GitHub Docs, “Script injections,” https://docs.github.com/en/actions/ concepts/security/script-injections, 2026, accessed: 2026-05-06

work page 2026
[18]

Keeping your github actions and workflows secure part 1: Preventing pwn requests,

J. Loba ˇcevski, “Keeping your github actions and workflows secure part 1: Preventing pwn requests,” https://securitylab.github.com/resources/ github-actions-preventing-pwn-requests/, 2021, accessed: 2026-05-06

work page 2021
[19]

Mitigating attack vectors in github workflows,

Open Source Security Foundation, “Mitigating attack vectors in github workflows,” https://openssf.org/blog/2024/08/12/ mitigating-attack-vectors-in-github-workflows/, 2024, accessed: 2026-05-06

work page 2024
[20]

Github actions injection attacks,

K. Muse, “Github actions injection attacks,” https://www.kenmuse.com/ blog/github-actions-injection-attacks/, 2023, accessed: 2026-05-06

work page 2023
[21]

Chainfuzzer: Greybox fuzzing for workflow-level multi-tool vulnerabilities in LLM agents,

J. Wu, Z. Yao, Y . Nan, and Z. Zheng, “Chainfuzzer: Greybox fuzzing for workflow-level multi-tool vulnerabilities in LLM agents,” CoRR, vol. abs/2603.12614, 2026. [Online]. Available: https://doi.org/ 10.48550/arXiv.2603.12614

work page doi:10.48550/arxiv.2603.12614 2026
[22]

Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered llm agents,

Z. Li, J. Cui, X. Liao, and L. Xing, “Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered llm agents,” 2025. [Online]. Available: https://arxiv.org/abs/2504.03111

work page arXiv 2025
[23]

Characterizing the security of github CI workflows,

I. Koishybayev, A. Nahapetyan, R. Zachariah, S. Muralee, B. Reaves, A. Kapravelos, and A. Machiry, “Characterizing the security of github CI workflows,” in31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds. USENIX Association, 2022, pp. 2747–2763. [Online]. Available: https://www.u...

work page 2022
[24]

Revisiting security practices for github actions workflows,

J. Huang and B. Lin, “Revisiting security practices for github actions workflows,” in2025 IEEE/ACM 33rd International Conference on Program Comprehension (ICPC), 2025, pp. 73–77

work page 2025
[25]

Automatic security assessment of github actions workflows,

G. Benedetti, L. Verderame, and A. Merlo, “Automatic security assessment of github actions workflows,” inProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses. ACM, Nov. 2022, p. 37–45. [Online]. Available: http://dx.doi.org/10.1145/3560835.3564554

work page doi:10.1145/3560835.3564554 2022
[26]

Argus: a framework for staged static taint analysis of github workflows and actions,

S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck, A. Kapravelos, and A. Machiry, “Argus: a framework for staged static taint analysis of github workflows and actions,” inProceedings of the 32nd USENIX Conference on Security Symposium, ser. SEC ’23. USA: USENIX Association, 2023

work page 2023
[27]

Unpacking security scanners for github actions workflows,

M. Fares, Y . Gamage, and B. Baudry, “Unpacking security scanners for github actions workflows,”CoRR, vol. abs/2601.14455, 2026. [Online]. Available: https://doi.org/10.48550/arXiv.2601.14455

work page doi:10.48550/arxiv.2601.14455 2026
[28]

Events that trigger workflows,

GitHub, “Events that trigger workflows,” 2026, accessed: 2026-05-

work page 2026
[29]

Available: https://docs.github.com/en/actions/reference/ workflows-and-actions/events-that-trigger-workflows

[Online]. Available: https://docs.github.com/en/actions/reference/ workflows-and-actions/events-that-trigger-workflows

work page
[30]

Workflow syntax for github actions,

——, “Workflow syntax for github actions,” 2026, accessed: 2026- 05-06. [Online]. Available: https://docs.github.com/en/actions/reference/ workflows-and-actions/workflow-syntax

work page 2026
[31]

Github action marketplace,

——, “Github action marketplace,” 2026, accessed: 2026-05-06. [Online]. Available: https://github.com/marketplace?type=actions

work page 2026
[32]

Variables,

GitHub Docs, “Variables,” https://docs.github.com/en/actions/concepts/ workflows-and-actions/variables, 2026, accessed: 2026-05-06

work page 2026
[33]

Contexts,

——, “Contexts,” https://docs.github.com/en/actions/concepts/ workflows-and-actions/contexts, 2026, accessed: 2026-05-06

work page 2026
[34]

Expressions,

——, “Expressions,” https://docs.github.com/en/actions/concepts/ workflows-and-actions/expressions, 2026, accessed: 2026-05-06

work page 2026
[35]

Keeping your github actions and workflows se- cure part 2: Untrusted input,

J. Loba ˇcevski, “Keeping your github actions and workflows se- cure part 2: Untrusted input,” https://securitylab.github.com/research/ github-actions-untrusted-input/, 2021, accessed: 2026-05-06

work page 2021
[36]

Context Script Injections,

HackTricks Cloud, “Context Script Injections,” https://cloud.hacktricks. wiki/en/pentesting-ci-cd/github-security/abusing-github-actions/ gh-actions-context-script-injections.html, accessed: 2026-05-06

work page 2026
[37]

Artifact Poisoning,

——, “Artifact Poisoning,” https://cloud.hacktricks.wiki/ en/pentesting-ci-cd/github-security/abusing-github-actions/ gh-actions-artifact-poisoning.html, accessed: 2026-05-06

work page 2026
[38]

Cache Poisoning,

——, “Cache Poisoning,” https://cloud.hacktricks.wiki/ en/pentesting-ci-cd/github-security/abusing-github-actions/ gh-actions-cache-poisoning.html, accessed: 2026-05-06

work page 2026
[39]

Y ASA: Scalable multi-language taint analysis on the unified AST,

Y . Wang, S. Wang, J. Zhao, S. Shi, T. Li, Y . Cheng, L. Bian, K. Yu, Y . Zhao, and H. Wang, “Y ASA: scalable multi-language taint analysis on the unified AST at ant group,”CoRR, vol. abs/2601.17390, 2026. [Online]. Available: https://doi.org/10.48550/arXiv.2601.17390

work page doi:10.48550/arxiv.2601.17390 2026
[40]

Prompt Injection Scanner,

alexh-scrt, “Prompt Injection Scanner,” https://github.com/alexh-scrt/ prompt-injection-scanner, accessed: 2026-05-06

work page 2026
[41]

Aikido OpenGrep Rules,

Aikido Security, “Aikido OpenGrep Rules,” https://github.com/ AikidoSec/opengrep-rules, accessed: 2026-05-06

work page 2026
[42]

CodeQL Actions Query Pack,

GitHub, “CodeQL Actions Query Pack,” https://github.com/github/ codeql/tree/main/actions/ql, accessed: 2026-05-06

work page 2026
[43]

Claude Code Action Security Policy,

Anthropic, “Claude Code Action Security Policy,” https: //github.com/anthropics/claude-code-action/blob/main/docs/security.md, accessed: 2026-05-06

work page 2026
[44]

Codex Action Security Policy,

OpenAI, “Codex Action Security Policy,” https://github.com/openai/ codex-action/blob/main/docs/security.md, accessed: 2026-05-06

work page 2026
[45]

Weber, Large language models as software components: A taxonomy for LLM- integrated applications (2024).arXiv:2406.10300

I. Weber, “Large language models as software components: A taxonomy for llm-integrated applications,”CoRR, vol. abs/2406.10300,

work page arXiv
[46]

Weber, Large language models as software components: A taxonomy for LLM- integrated applications (2024).arXiv:2406.10300

[Online]. Available: https://doi.org/10.48550/arXiv.2406.10300

work page doi:10.48550/arxiv.2406.10300
[47]

A survey on large language model based autonomous agents , volume =

L. Wang, C. Ma, X. Feng, Z. Zhang, H. Yang, J. Zhang, Z. Chen, J. Tang, X. Chen, Y . Lin, W. X. Zhao, Z. Wei, and J. Wen, “A survey on large language model based autonomous agents,”Frontiers Comput. Sci., vol. 18, no. 6, p. 186345, 2024. [Online]. Available: https://doi.org/10.1007/s11704-024-40231-1

work page doi:10.1007/s11704-024-40231-1 2024
[48]

The emerged security and privacy of LLM agent: A survey with case studies,

F. He, T. Zhu, D. Ye, B. Liu, W. Zhou, and P. S. Yu, “The emerged security and privacy of LLM agent: A survey with case studies,”CoRR, vol. abs/2407.19354, 2024. [Online]. Available: https://doi.org/10.48550/arXiv.2407.19354 14

work page doi:10.48550/arxiv.2407.19354 2024
[49]

Ai agents under threat: A survey of key security challenges and future pathways,

Z. Deng, Y . Guo, C. Han, W. Ma, J. Xiong, S. Wen, and Y . Xiang, “Ai agents under threat: A survey of key security challenges and future pathways,”ACM Comput. Surv., vol. 57, no. 7, Feb. 2025. [Online]. Available: https://doi.org/10.1145/3716628

work page doi:10.1145/3716628 2025
[50]

Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents

H. Zhang, J. Huang, K. Mei, Y . Yao, Z. Wang, C. Zhan, H. Wang, and Y . Zhang, “Agent security bench (ASB): formalizing and benchmarking attacks and defenses in llm-based agents,”CoRR, vol. abs/2410.02644,

work page internal anchor Pith review arXiv
[51]

Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents

[Online]. Available: https://doi.org/10.48550/arXiv.2410.02644

work page internal anchor Pith review doi:10.48550/arxiv.2410.02644
[52]

Agentauditor: Human-level safety and security evaluation for LLM agents,

H. Luo, S. Dai, C. Ni, X. Li, G. Zhang, K. Wang, T. Liu, and H. Salam, “Agentauditor: Human-level safety and security evaluation for LLM agents,” inThe Thirty-ninth Annual Conference on Neural Information Processing Systems, 2026. [Online]. Available: https://openreview.net/forum?id=2KKqp7MWJM

work page 2026
[53]

Agentic Actions Auditor,

Trail of Bits, “Agentic Actions Auditor,” https://github.com/trailofbits/ skills/tree/main/plugins/agentic-actions-auditor, accessed: 2026-05-06. X. APPENDIX A. Dataset Collection and Property Inference This appendix details the dataset construction and property inference process used in our characterization and evaluation. We collect candidate AI-assiste...

work page 2026
[54]

action: exact action name

work page
[55]

is_agentic: one of agent, llm, or no

work page
[56]

prompt_boundaries: model-readable prompt or instruction interfaces

work page
[57]

derived_outputs: model-authored outputs or files consumed downstream

work page
[58]

issues=$(cat issues.json)

access_control: caller-identity access-control interfaces. [Decision Rules] - prompt_boundaries include only inputs that become natural-language prompts, tasks, or instructions. - derived_outputs include only model- or agent-authored values that can be consumed by later workflow steps. - access_control includes only caller allowlists, write-access gates, ...

work page 2026