Pith. sign in

REVIEW 4 major objections 6 minor 68 references

DualView blocks stored and immediate prompt injection on personal AI agents by giving the agent and the human two synchronized views of the same computer environment.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-11 23:42 UTC pith:KHDDUWMZ

load-bearing objection Real systems fix for stored IPI that Dual-LLM work left open; dual views are the actual idea, 0% ASR is earned on their suite, and the hand-written trust policy is the residual risk—not a collapse of the claim. the 4 major comments →

arxiv 2607.03821 v1 pith:KHDDUWMZ submitted 2026-07-04 cs.CR cs.AI

DualView: Preventing Indirect Prompt Injection in Personal AI Agents

classification cs.CR cs.AI
keywords indirect prompt injectionpersonal AI agentsDual LLMstored IPIAgentViewtool hooksuntrusted data isolationOpenClaw
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Personal AI agents that run on a user's machine can read the web, write files, and run shell commands—the same capabilities that make them useful and that open them to indirect prompt injection. Prior Dual-LLM defenses replace untrusted text with opaque symbols inside the agent, but they resolve those symbols when data leaves, so a malicious prompt written to a file can return later as ordinary trusted content (stored IPI). DualView keeps two views of every channel: AgentView, where untrusted data stays symbolized even after write-then-read, and HumanView, where humans and programs still see original data. By routing tools to the right view and syncing the two sides, the system blocked every tested attack while keeping task success close to an unprotected agent. The claim is that security, agent utility, and human utility can be satisfied together once untrusted-data tracking is extended into the real environment the agent shares with the user.

Core claim

Untrusted-data isolation for personal AI agents is incomplete unless it survives the path through the user's shared environment. DualView maintains an AgentView in which symbols persist across file writes, shell use, network returns, and inter-agent messages, and a HumanView that always shows original data; with tool routing and synchronization, it reduces both immediate and stored IPI attack success to zero on a 90-case benchmark while keeping PinchBench utility within a few points of the unprotected baseline, without changing the agent's tool-call logic.

What carries the argument

The dual-view environment: each channel (file system, shell, network, inter-agent) has an AgentView that keeps untrusted data as opaque symbols and a HumanView that preserves original data, with tool routing and Git-based synchronization keeping the two views consistent.

Load-bearing premise

The defense assumes the hand-written data-trust policy correctly labels every tool field that can carry attacker text; a field wrongly marked trusted reopens a path for stored injection.

What would settle it

An attack in which untrusted content is written through a tool field the policy marks trusted, then later read back by the agent and successfully steers a harmful tool call, would falsify the zero attack-success claim.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Stored IPI, left open by Dual-LLM defenses that only track symbols inside the agent context, can be closed by design without filling user files with unreadable symbols.
  • Personal agents can keep full file, shell, and network access while still guaranteeing that attacker text never reaches the tool-calling model as plain text.
  • A defense that works through tool hooks alone can be deployed on existing agent runtimes without model or tool rewrites.
  • Human-facing deliverables remain free of symbols, so non-agent programs and remote endpoints continue to work as before.
  • Protection is template-independent because isolation is structural, not classifier-based.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same two-view pattern could apply to cloud-synced workspaces if remote services preserved agent-facing symbols and resolved them only for human-facing reads.
  • Hand-written trust schemas for every tool will become a maintenance bottleneck as agents gain custom tools; automatic routing and field classification from tool specs is a natural next step.
  • Symbol-level tracking also gives a foundation for confidentiality policies (symbolizing secrets so they cannot leave) rather than only integrity against injection.
  • Token overhead from the quarantined LLM may limit cost-sensitive deployments unless cheaper summarizers, caching, or batching are used.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

4 major / 6 minor

Summary. DualView addresses stored indirect prompt injection (IPI) in personal AI agents that act on the user's real environment. Prior Dual-LLM defenses replace untrusted data with opaque symbols inside the agent context, but resolve those symbols when data is written out, so a later read can reintroduce attacker text as trusted content. DualView maintains two synchronized views of each channel (file system, shell, network, inter-agent): AgentView keeps untrusted data as symbols across write-then-read, while HumanView preserves original data for humans and non-agent programs. Tool calls are routed by need for original data; a hand-written data-trust policy decides what to symbolize; a data-usage policy gates execution of untrusted content as code. Implemented as an OpenClaw plugin via tool hooks only, DualView reports 0% attack success on a 90-case custom IPI suite (immediate and stored) across two Claude models, and PinchBench utility within about 6.4 points of unprotected OpenClaw, with human-facing outputs free of symbols.

Significance. The problem is timely and practically important: local personal agents with file, shell, and network access make stored IPI a first-class threat that context-only Dual-LLM designs do not close. The dual-view design is a clear conceptual contribution that simultaneously targets security, agent utility, and human utility—three goals prior Dual-LLM variants trade off against each other (Table 1). Strengths include a deployable hook-only plugin, explicit comparison to guardrails, sandboxing, and Dual LLM, transcript-level audits that attacker text never reaches T-LLM, and an open-source release commitment. If the isolation invariant holds under a correct trust policy, the work is a substantial step toward usable, environment-aware IPI defenses for personal agents.

major comments (4)
  1. §3.1, abstract, and §3.8.1: The central claim that protection is 'by design' and 'not limited to known attack templates' rests on the invariant that untrusted data reaches T-LLM only as symbols. That invariant holds only if the data-trust policy correctly labels every remote-derived field. The policy is a hand-written set of schema and origin rules for 21 OpenClaw tools (Appendix B, Table 7), derived by manual inspection and not machine-checked against tool implementations or result schemas. A single misclassified trusted field (e.g., a redirect URL, structured CLI field, or status string that can carry attacker text) reopens a stored-IPI path once written and reread via Agent File System. The 0% ASR result (Table 2) therefore validates isolation for the fields exercised by the custom suite, not a general design guarantee. Please either (i) qualify the 'by design' language to 'under a co
  2. §4.2: Security evaluation uses a custom 90-case benchmark (3 vectors × 10 tasks × 3 goals) rather than established IPI suites (e.g., InjecAgent, AgentDojo, ASB). The paper notes that existing benchmarks do not support OpenClaw, which is fair, but the manuscript does not release enough detail on payload construction, placement, and success criteria for independent reproduction, nor does it map the 90 cases onto attack templates from prior work. Given that Dual LLM (Utility) already fails stored IPI as expected, the main empirical novelty is the stored-IPI column; that column should be stress-tested with adaptive payloads that target policy edge cases (structured tool fields marked trusted, webhook schemas, HumanShell structured output). Please expand the benchmark description (payloads, success oracles, and any adaptive attempts) and, if feasible, release the suite with the code.
  3. §3.8.2 and §5: The data-usage policy is described as best-effort and incomplete (command rewriting covers only listed script patterns; full untrusted-data execution would need syscall monitoring). HumanShell deliberately desymbolizes for utility. This is an honest tradeoff, but it sits uneasily next to the strong isolation claim: once the agent chooses to place a symbol into an executable position and the user approves (or a pattern is missed), attacker-controlled content runs with the user's privileges. Table 4 shows almost no review events on PinchBench, which is good for usability but does not stress malicious executable patterns. Please state more clearly in the security goals which properties are deterministic (symbol isolation from T-LLM tool decisions) versus best-effort (execution of desymbolized content), and add at least a small adversarial evaluation of the executable-command
  4. §4.3 / Table 2: Utility is measured once per defense and model (147 PinchBench tasks) due to API cost. Token overhead is large (48.2% Haiku, 93.4% Sonnet), and Sonnet failures cluster on repeated U-LLM/HumanShell retries (Table 3). A single run leaves variance unreported for utility, while security reports mean±std over three runs. Given that DualView's practicality claim depends on staying close to baseline utility, please either report multi-run utility (even on a stratified subset) or provide confidence intervals / bootstrap over tasks, and discuss whether the Sonnet overhead pattern is inherent to symbol opacity or prompt/tool design that can be improved.
minor comments (6)
  1. Figure 3 and the numbered path labels (black/green/orange) are dense; a short walkthrough in the caption matching the WebSearch/file examples in Figures 4–5 would help readers.
  2. §3.5: Git worktree + workspace-scoped locks and conflict log are reasonable, but concurrency with non-agent programs that bypass Git (direct writes) is only sketched. A sentence on failure modes when the human edits a symbolized line mid-sync would help.
  3. Table 1 footnote symbols (†, ‡, ∗) are useful; ensure the Dual LLM (Security) row is clearly labeled as a hypothetical design point rather than an evaluated system, if that is the intent.
  4. §4.1: Clarify whether Llama Prompt Guard 2 and LlamaFirewall were applied only to tool results/calls or also to stored file content on re-read; that affects the stored-IPI comparison with DualView.
  5. Typos / polish: 'Data Usage Check' vs 'data usage policy' naming is slightly inconsistent across figures; arXiv line 'arXiv:2607.03821v1 [cs.CR] 4 Jul 2026' looks like a future date—verify metadata.
  6. §3.7: Inter-agent trust marking is user-configured; a brief example of mis-marking a public-channel agent as trusted would illustrate residual risk without expanding scope.

Circularity Check

0 steps flagged

No significant circularity; DualView is an engineering system whose isolation claim and 0% ASR rest on design plus empirical measurement, not on self-referential definitions or fitted quantities renamed as predictions.

full rationale

The paper presents a systems design (AgentView/HumanView routing, Git-worktree synchronization, data-trust and data-usage policies) that extends the Dual-LLM symbol isolation invariant into the user's environment. Security is argued by construction from the prior Dual-LLM invariant (cited to FIDES and f-secure LLM, not solely self-work) plus the new environment-level tracking; the 0% ASR and PinchBench utility numbers are measured against an unprotected OpenClaw baseline and other defenses on a fixed 90-case suite and 147-task benchmark. There is no equation or derivation in which a claimed prediction reduces to a fitted input, no uniqueness theorem imported from the authors' own prior work to force the design, and no renaming of a known empirical pattern as a first-principles result. The self-citation to the authors' earlier PFI paper is ordinary background for the Dual-LLM pattern and is not load-bearing for the novel DualView claims. The hand-written data-trust policy is a correctness assumption (any misclassified field could re-open a path), but that is orthogonal to circularity: the paper does not define the policy in terms of the evaluation outcomes or treat the evaluation as a derivation of the policy. The work is therefore self-contained against its stated benchmarks with no circular reduction.

Axiom & Free-Parameter Ledger

0 free parameters · 4 axioms · 2 invented entities

The central security claim rests on the Dual-LLM isolation invariant (symbols cannot steer tool calls), the threat-model assumption that the user and the agent runtime are trusted, and the completeness of a hand-written data-trust policy. No numeric free parameters are fitted; the invented entities are engineering constructs (AgentView, HumanView, Agent File System) whose behavior is defined by the implementation rather than postulated as physical objects.

axioms (4)
  • domain assumption Untrusted data represented only as opaque symbols cannot influence the privileged LLM's tool-call decisions (Dual-LLM isolation invariant).
    Invoked throughout §2.3 and §3.1; the paper cites prior formal proofs (FIDES, related work) rather than re-proving it.
  • domain assumption The user and the agent runtime/tools are trusted; the adversary controls only remote data delivered through network, email, webhooks, or untrusted agents.
    Stated in the threat model (§3) and used to treat human file edits and local files as trusted by default.
  • ad hoc to paper The hand-written data-trust policy (schema + origin rules for 21 OpenClaw tools) correctly labels every field that can carry attacker-controlled text.
    §3.8.1 and Appendix B; misclassification would allow plain attacker text into AgentView.
  • ad hoc to paper Git worktree synchronization plus workspace-scoped locks correctly reconcile concurrent human and agent writes without silently dropping symbols or overwriting human edits.
    §3.5 and Appendix A concurrency handling; races are logged but resolution is left to the human.
invented entities (2)
  • AgentView / HumanView dual environment no independent evidence
    purpose: Provide the agent with a symbolized view of files, shell, and messages while humans and remote endpoints continue to see original data.
    Core architectural construct introduced in §3.2; behavior is defined by the routing and sync implementation rather than by independent physical evidence.
  • Agent File System (Git worktree) no independent evidence
    purpose: Persist symbols across write-then-read cycles so stored IPI cannot re-enter as plain text.
    §3.5; engineering mechanism, not a postulated natural entity.

pith-pipeline@v1.1.0-grok45 · 31703 in / 2935 out tokens · 27898 ms · 2026-07-11T23:42:06.177192+00:00 · methodology

0 comments
read the original abstract

Personal AI agents that run on the user's local machine, such as OpenClaw, automate daily tasks including web search, email, and file management. Their access to computer resources, including the network, file system, and shell, exposes them to indirect prompt injection (IPI) attacks. Prior Dual LLM defenses block IPI by replacing untrusted data with symbols that the agent can reference but not read. However, they track untrusted data only inside the agent's context, so when the agent saves and later rereads untrusted data, that data, possibly an attacker's prompt, can return as trusted data rather than as a symbol, which we call stored IPI. Operating on the user's real environment, which humans and programs share, is what makes agents like OpenClaw practical, and is exactly why a defense that ignores it is incomplete. Preserving symbols in such an environment is hard, because humans and programs need original data. We present DualView, which extends untrusted data tracking from the agent's context to the user's environment, including the file system, shell, network, and other agents, by giving each channel two views. In AgentView, the agent sees untrusted data as symbols even after writing it out and reading it back, blocking stored IPI, while HumanView preserves original data for humans and tools. DualView routes each tool call to the right view and synchronizes data across the two views. DualView deploys as an OpenClaw plugin using only tool hooks, without changing the agent's tool-call logic or tool implementations. Since DualView isolates untrusted data by design, its protection is not limited to known attack templates. In our evaluation on an IPI benchmark and PinchBench, DualView blocked every IPI attack, including stored IPI, while keeping utility close to the unprotected baseline.

Figures

Figures reproduced from arXiv: 2607.03821 by Byoungyoung Lee, Juhee Kim, Taehyun Kang, Woohyuk Choi, Youngmin Kim.

Figure 1
Figure 1. Figure 1: An AI agent on the user’s machine interacts with the web, the local file system, and the shell through tool calls. trust policy uses the known data structures of tool results to symbolize only the untrusted data while keeping trusted data as is. DUALVIEW deploys as an OpenClaw plugin using tool hooks. The implementation does not require changes to the backing model or to existing tool implementations. DUAL… view at source ↗
Figure 2
Figure 2. Figure 2: Indirect prompt injection attacks against an AI agent. commands, sending network requests, or communicating with other agents. OpenClaw [6] is a representative example. Personal AI agents can automate tasks that span several user resources. For example, the agent can collect information from the web, save it into files, and reuse those files in later tasks [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Architecture of DUALVIEW. marks AgentView, where T-LLM sees symbols instead of untrusted data. marks HumanView, where humans and non-agent programs see original data. Yellow boxes mark DUALVIEW components. Black numbers mark the agent-user path; green numbers mark the AgentView tool path; orange numbers mark the HumanView tool path. Green arrows carry trusted data only, while orange arrows carry data that … view at source ↗
Figure 4
Figure 4. Figure 4: Network flows in DUALVIEW. WebSearch and webhook payloads arrive as original data in HumanView. DUALVIEW classifies the data using the data trust policy and symbolizes the untrusted parts before they reach AgentView. The numbered steps follow the WebSearch path (A), the U-LLM summarization path (B), and the webhook path (C). Example: WebSearch. The left side of [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Filesystem synchronization in DUALVIEW. Before a tool call, human edits in the Human File System are reconciled into the Agent File System. The agent then operates on the Agent File System. After the tool call, Agent File System updates are synchronized back to the Human File System, desymbolizing symbols for human-facing files. System and desymbolizes symbols so the user sees original data. After each syn… view at source ↗
Figure 6
Figure 6. Figure 6: Shell execution in DUALVIEW. AgentShell lets commands run against Agent File System with network access disabled, so their output contains trusted data and symbols. HumanShell lets commands run in the normal shell environment with Human File System and network access enabled. DUALVIEW symbolizes shell output before returning it to AgentView. AgentShell. As with file tools (§3.5), AgentShell lets commands u… view at source ↗
Figure 8
Figure 8. Figure 8: Example file-system layout under DUALVIEW. TABLE 5: PinchBench file paths marked as untrusted. These patterns match 72 files, and 42 of the 147 PinchBench tasks read at least one of them. Category Untrusted Files Email and inbox emails/*, inbox/* External documents and reports ai_blog.txt, GPT4.pdf, openclaw_report.pdf, research/*, sample_contract.pdf, school-calendar.pdf, subway_map.md, vulnerability_scan… view at source ↗
Figure 7
Figure 7. Figure 7: OpenClaw hook points that DUALVIEW uses across the agent’s events. before_tool_call and the two result hooks branch by whether the tool runs on AgentView or HumanView. DUALVIEW changes the two hooks marked †. evaluation. Each entry stores a symbol with the original data and provenance metadata. The provenance metadata comes from trusted data (e.g., the originating tool, the field path, and the data origin)… view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

68 extracted references · 21 linked inside Pith

  1. [1]

    React: Synergizing reasoning and acting in language models,

    S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,” in International Conference on Learning Representations (ICLR), 2023

  2. [2]

    Toolformer: Language models can teach themselves to use tools,

    T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, E. Ham- bro, L. Zettlemoyer, N. Cancedda, and T. Scialom, “Toolformer: Language models can teach themselves to use tools,” inAnnual Conference on Neural Information Processing Systems (NeurIPS), 2023

  3. [3]

    Chatgpt plugins,

    OpenAI, “Chatgpt plugins,” 2024, https://openai.com/index/chatgpt- plugins/ (accessed 27, August, 2025)

  4. [4]

    What is microsoft 365 copilot?

    Microsoft, “What is microsoft 365 copilot?” 2024, https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft- 365-copilot-overview (accessed 27, August, 2025)

  5. [5]

    Model context protocol,

    Model Context Protocol, “Model context protocol,” 2025, https:// modelcontextprotocol.io/

  6. [6]

    OpenClaw,

    OpenClaw, “OpenClaw,” 2026, https://openclaw.ai/

  7. [7]

    Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,

    K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,” inAISec Workshop, 2023

  8. [8]

    Formalizing and benchmarking prompt injection attacks and defenses,

    Y . Liu, Y . Jia, R. Geng, J. Jia, and N. Z. Gong, “Formalizing and benchmarking prompt injection attacks and defenses,” in33rd USENIX Security Symposium. USENIX Association, 2024

  9. [9]

    InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,

    Q. Zhan, Z. Liang, Z. Ying, and D. Kang, “InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,” inFindings of the Association for Computational Linguistics: ACL 2024. Bangkok, Thailand: Association for Computational Linguistics, 2024, pp. 10 471–10 506. [Online]. Available: https://aclanthology.org/2024.findi...

  10. [10]

    The dual llm pattern for building ai assistants that can resist prompt injection,

    S. Willison, “The dual llm pattern for building ai assistants that can resist prompt injection,” 2023, https://simonwillison.net/2023/Apr/25/ dual-llm-pattern/

  11. [11]

    Prompt flow integrity to prevent privilege escalation in llm agents,

    J. Kim, W. Choi, and B. Lee, “Prompt flow integrity to prevent privilege escalation in llm agents,”arXiv preprint arXiv:2503.15547, 2025

  12. [12]

    Defeating prompt injections by design,

    E. Debenedetti, I. Shumailov, T. Fan, J. Hayes, N. Carlini, D. Fabian, C. Kern, C. Shi, A. Terzis, and F. Tramèr, “Defeating prompt injections by design,”arXiv preprint arXiv:2503.18813, 2025

  13. [13]

    Securing ai agents with information-flow control,

    M. Costa, B. Köpf, A. Kolluri, A. Paverd, M. Russinovich, A. Salem, S. Tople, L. Wutschitz, and S. Zanella-Béguelin, “Securing ai agents with information-flow control,”arXiv preprint arXiv:2505.23643, 2025

  14. [14]

    PinchBench,

    PinchBench, “PinchBench,” 2026, https://pinchbench.com/

  15. [15]

    Demystifying RCE vulnerabilities in LLM-integrated apps,

    T. Liu, Z. Deng, G. Meng, Y . Li, and K. Chen, “Demystifying RCE vulnerabilities in LLM-integrated apps,” inProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024

  16. [16]

    Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,

    H. Zhang, J. Huang, K. Mei, Y . Yao, Z. Wang, C. Zhan, H. Wang, and Y . Zhang, “Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,” in13th International Conference on Learning Representations, ICLR 2025. Singapore: International Conference on Learning Representations, 2025. [Online]. Available: https://proce...

  17. [17]

    AGENTVIGIL: Automatic black- box red-teaming for indirect prompt injection against LLM agents,

    Z. Wang, V . Siu, Z. Ye, T. Shi, Y . Nie, X. Zhao, C. Wang, W. Guo, and D. Song, “AGENTVIGIL: Automatic black- box red-teaming for indirect prompt injection against LLM agents,” inFindings of the Association for Computational Linguistics: EMNLP 2025. Suzhou, China: Association for Computational Linguistics, 2025, pp. 23 159–23 172. [Online]. Available: ht...

  18. [18]

    Benchmarking and defending against indirect prompt injection attacks on large language models,

    J. Yi, Y . Xie, B. Zhu, K. Hines, E. Kiciman, G. Sun, X. Xie, and F. Wu, “Benchmarking and defending against indirect prompt injection attacks on large language models,” inProceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining. ACM, 2025. [Online]. Available: https://arxiv.org/abs/2312.14197

  19. [19]

    AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,

    E. Debenedetti, J. Zhang, M. Balunovic, L. Beurer-Kellner, M. Fischer, and F. Tramèr, “AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,” inAnnual 14 Conference on Neural Information Processing Systems (NeurIPS) Datasets and Benchmarks Track, 2024

  20. [20]

    Overcoming the retrieval barrier: Indirect prompt injection in the wild for LLM systems,

    H. Chang, E. Bao, X. Luo, and T. Yu, “Overcoming the retrieval barrier: Indirect prompt injection in the wild for LLM systems,” in35th USENIX Security Symposium. USENIX Association, 2026. [Online]. Available: https://www.usenix.org/ conference/usenixsecurity26/presentation/chang

  21. [21]

    ObliInjection: Order-oblivious prompt injection attack to LLM agents with multi-source data,

    R. Wang, Y . Jia, and N. Z. Gong, “ObliInjection: Order-oblivious prompt injection attack to LLM agents with multi-source data,” in Network and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/obliinjection-order-oblivious- prompt-injection-attack-to-llm...

  22. [22]

    Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered LLM agents,

    Z. Li, J. Cui, X. Liao, and L. Xing, “Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered LLM agents,” in Network and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/les-dissonances-cross-tool- harvesting-and-polluting-in-poo...

  23. [23]

    Prompt injection attack to tool selection in LLM agents,

    J. Shi, Z. Yuan, G. Tie, P. Zhou, N. Z. Gong, and L. Sun, “Prompt injection attack to tool selection in LLM agents,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society,

  24. [24]

    Available: https://www.ndss-symposium.org/ndss- paper/prompt-injection-attack-to-tool-selection-in-llm-agents/

    [Online]. Available: https://www.ndss-symposium.org/ndss- paper/prompt-injection-attack-to-tool-selection-in-llm-agents/

  25. [25]

    SpAIware: Uncovering a novel artificial intelligence attack vector through persistent memory in LLM applications and agents,

    M. Herrador and J. Rehberger, “SpAIware: Uncovering a novel artificial intelligence attack vector through persistent memory in LLM applications and agents,”Future Generation Computer Systems, vol. 174, p. 107994, 2026. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0167739X25002894

  26. [26]

    Memory injection attacks on LLM agents via query-only interaction,

    S. Dong, S. Xu, P. He, Y . Li, J. Tang, T. Liu, H. Liu, and Z. Xiang, “Memory injection attacks on LLM agents via query-only interaction,” inICLR 2026 Workshop on Memory for LLM-Based Agentic Systems (MemAgents), 2026. [Online]. Available: https://openreview.net/forum?id=i7J62t2wtV

  27. [28]

    Available: https://arxiv.org/abs/2410.07283

    [Online]. Available: https://arxiv.org/abs/2410.07283

  28. [29]

    AirGapAgent: Protecting privacy-conscious conversational agents,

    E. Bagdasarian, R. Yi, S. Ghalebikesabi, P. Kairouz, M. Gruteser, S. Oh, B. Balle, and D. Ramage, “AirGapAgent: Protecting privacy-conscious conversational agents,” inProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024. [Online]. Available: https://dl.acm.org/doi/10.1145/3658644.3690350

  29. [30]

    System-level defense against indi- rect prompt injection attacks: An information flow control perspective,

    F. Wu, E. Cecchetti, and C. Xiao, “System-level defense against indi- rect prompt injection attacks: An information flow control perspective,” arXiv preprint arXiv:2409.19091, 2024

  30. [31]

    ACE: A security architecture for LLM-integrated app systems,

    E. Li, T. Mallick, E. Rose, W. Robertson, A. Oprea, and C. Nita-Rotaru, “ACE: A security architecture for LLM-integrated app systems,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/ace- a-security-architecture-for-llm-integrated-app-systems/

  31. [32]

    Ignore previous prompt: Attack techniques for language models,

    F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,”arXiv preprint arXiv:2211.09527, 2022. [Online]. Available: https://arxiv.org/abs/2211.09527

  32. [33]

    Jailbroken: How does LLM safety training fail?

    A. Wei, N. Haghtalab, and J. Steinhardt, “Jailbroken: How does LLM safety training fail?”arXiv preprint arXiv:2307.02483, 2023. [Online]. Available: https://arxiv.org/abs/2307.02483

  33. [34]

    Universal and transferable adversarial attacks on aligned language models,

    A. Zou, Z. Wang, N. Carlini, M. Nasr, J. Z. Kolter, and M. Fredrikson, “Universal and transferable adversarial attacks on aligned language models,”arXiv preprint arXiv:2307.15043, 2023. [Online]. Available: https://arxiv.org/abs/2307.15043

  34. [35]

    The instruction hierarchy: Training LLMs to prioritize privileged instructions,

    E. Wallace, K. Xiao, R. Leike, L. Weng, J. Heidecke, and A. Beutel, “The instruction hierarchy: Training LLMs to prioritize privileged instructions,”arXiv preprint arXiv:2404.13208, 2024

  35. [36]

    StruQ: Defending against prompt injection with structured queries,

    S. Chen, J. Piet, C. Sitawarin, and D. Wagner, “StruQ: Defending against prompt injection with structured queries,” in34th USENIX Security Symposium. USENIX Association, 2025. [Online]. Available: https://arxiv.org/abs/2402.06363

  36. [37]

    SecAlign: Defending against prompt injection with preference optimization,

    S. Chen, A. Zharmagambetov, S. Mahloujifar, K. Chaudhuri, D. Wagner, and C. Guo, “SecAlign: Defending against prompt injection with preference optimization,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2025. [Online]. Available: https://dl.acm.org/doi/10. 1145/3719027.3744836

  37. [38]

    Llama Prompt Guard 2,

    Meta AI, “Llama Prompt Guard 2,” 2025, https://huggingface.co/meta- llama/Llama-Prompt-Guard-2-86M

  38. [39]

    LlamaFirewall: An open source guardrail system for building secure AI agents,

    S. Chennabasappa, C. Nikolaidis, D. Song, D. Molnar, S. Ding, S. Wan, S. Whitman, L. Deason, N. Doucette, A. Montilla, A. Gampa, B. de Paola, D. Gabi, J. Crnkovich, J.-C. Testud, K. He, R. Chaturvedi, W. Zhou, and J. Saxe, “LlamaFirewall: An open source guardrail system for building secure AI agents,”arXiv preprint arXiv:2505.03574, 2025, https://github.c...

  39. [40]

    DataSentinel: A game-theoretic detection of prompt injection attacks,

    Y . Liu, Y . Jia, J. Jia, D. Song, and N. Z. Gong, “DataSentinel: A game-theoretic detection of prompt injection attacks,” inIEEE Symposium on Security and Privacy. IEEE, 2025. [Online]. Available: https://arxiv.org/abs/2504.11358

  40. [41]

    Defending against indirect prompt injection attacks with spotlighting,

    K. Hines, G. Lopez, M. Hall, F. Zarfati, Y . Zunger, and E. Kiciman, “Defending against indirect prompt injection attacks with spotlighting,” arXiv preprint arXiv:2403.14720, 2024

  41. [42]

    Attention is all you need to defend against indirect prompt injection attacks in LLMs,

    Y . Zhong, Q. Miao, Y . Chen, J. Deng, Y . Cheng, and W. Xu, “Attention is all you need to defend against indirect prompt injection attacks in LLMs,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/attention-is-all-you- need-to-defend-again...

  42. [43]

    MELON: Provable defense against indirect prompt injection attacks in AI agents,

    K. Zhu, X. Yang, J. Wang, W. Guo, and W. Y . Wang, “MELON: Provable defense against indirect prompt injection attacks in AI agents,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2502.05174

  43. [44]

    The task shield: Enforcing task alignment to defend against indirect prompt injection in LLM agents,

    F. Jia, T. Wu, X. Qin, and A. Squicciarini, “The task shield: Enforcing task alignment to defend against indirect prompt injection in LLM agents,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). Association for Computational Linguistics, 2025. [Online]. Available: https://aclanthology.org/...

  44. [45]

    DRIFT: Dynamic rule-based defense with injection isolation for securing LLM agents,

    H. Li, X. Liu, H.-C. Chiu, D. Li, N. Zhang, and C. Xiao, “DRIFT: Dynamic rule-based defense with injection isolation for securing LLM agents,” inAnnual Conference on Neural Information Processing Systems (NeurIPS), 2025. [Online]. Available: https://arxiv.org/abs/2506.12104

  45. [46]

    ShieldAgent: Shielding agents via verifiable safety policy reasoning,

    Z. Chen, M. Kang, and B. Li, “ShieldAgent: Shielding agents via verifiable safety policy reasoning,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2503.22738

  46. [47]

    GuardAgent: Safeguard LLM agents by a guard agent via knowledge- enabled reasoning,

    Z. Xiang, L. Zheng, Y . Li, J. Hong, Q. Li, H. Xie, J. Zhang, Z. Xiong, C. Xie, C. Yang, D. Song, and B. Li, “GuardAgent: Safeguard LLM agents by a guard agent via knowledge- enabled reasoning,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2406.09187

  47. [48]

    AgentSpec: Customizable runtime enforcement for safe and reliable LLM agents,

    H. Wang, C. M. Poskitt, and J. Sun, “AgentSpec: Customizable runtime enforcement for safe and reliable LLM agents,” in Proceedings of the 48th IEEE/ACM International Conference on Software Engineering. ACM, 2026. [Online]. Available: https://arxiv.org/abs/2503.18666

  48. [49]

    RTBAS: Defending LLM agents against prompt injection and privacy leakage,

    P. Y . Zhong, S. Chen, R. Wang, M. McCall, B. L. Titzer, H. Miller, and P. B. Gibbons, “RTBAS: Defending LLM agents against prompt injection and privacy leakage,”arXiv preprint arXiv:2502.08966, 2025

  49. [50]

    Permissive information-flow analysis for large language models,

    S. A. Siddiqui, R. Gaonkar, B. Köpf, D. Krueger, A. Paverd, A. Salem, S. Tople, L. Wutschitz, M. Xia, and S. Zanella-Béguelin, “Permissive information-flow analysis for large language models,”arXiv preprint arXiv:2410.03055, 2024

  50. [51]

    Optimization-based prompt injection attack to LLM-as-a-judge,

    J. Shi, Z. Yuan, Y . Liu, Y . Huang, P. Zhou, L. Sun, and N. Z. Gong, “Optimization-based prompt injection attack to LLM-as-a-judge,” in Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024

  51. [52]

    OpenShell: A safe, private runtime for autonomous AI agents,

    NVIDIA, “OpenShell: A safe, private runtime for autonomous AI agents,” 2026, https://github.com/NVIDIA/OpenShell

  52. [53]

    Webhooks,

    OpenClaw, “Webhooks,” 2026, https://docs.openclaw.ai/cli/webhooks. 15

  53. [54]

    Configuration,

    ——, “Configuration,” 2026, https://docs.openclaw.ai/gateway/ configuration (accessed 29, May, 2026)

  54. [55]

    Git Project,git-worktree Documentation, 2026, https://git-scm.com/ docs/git-worktree (accessed 28, May, 2026)

  55. [56]

    gws: Google Workspace CLI,

    Google Workspace, “gws: Google Workspace CLI,” 2026, https:// github.com/googleworkspace/cli (accessed 5, June, 2026)

  56. [57]

    GitHub CLI,

    GitHub, “GitHub CLI,” 2026, https://cli.github.com/ (accessed 5, June, 2026)

  57. [58]

    Imprompter: Tricking LLM agents into improper tool use,

    X. Fu, S. Li, Z. Wang, Y . Liu, R. K. Gupta, T. Berg-Kirkpatrick, and E. Fernandes, “Imprompter: Tricking LLM agents into improper tool use,”arXiv preprint arXiv:2410.14923, 2024. [Online]. Available: https://arxiv.org/abs/2410.14923

  58. [59]

    Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,

    M. Russinovich, A. Salem, and R. Eldan, “Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,” in34th USENIX Security Symposium. USENIX Association, 2025

  59. [60]

    PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models,

    W. Zou, R. Geng, B. Wang, and J. Jia, “PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models,” in34th USENIX Security Symposium. USENIX Association, 2025

  60. [61]

    An execution isolation architecture for LLM-based agentic systems,

    Y . Wu, F. Roesner, T. Kohno, N. Zhang, and U. Iqbal, “An execution isolation architecture for LLM-based agentic systems,” inNetwork and Distributed System Security Symposium 2025. San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://arxiv.org/abs/2403.04960

  61. [62]

    Optimizing agent planning for security and autonomy,

    A. Kolluri, R. Sharma, M. Costa, B. Köpf, T. Nießen, M. Russinovich, S. Tople, and S. Zanella-Béguelin, “Optimizing agent planning for security and autonomy,” inInternational Conference on Learning Representations (ICLR), 2026

  62. [63]

    Progent: Programmable privilege control for LLM agents,

    T. Shi, J. He, Z. Wang, H. Li, L. Wu, W. Guo, and D. Song, “Progent: Programmable privilege control for LLM agents,”arXiv preprint arXiv:2504.11703, 2025

  63. [64]

    Conseca: Contextual agent security: A policy for every purpose,

    L. Tsai and E. Bagdasarian, “Conseca: Contextual agent security: A policy for every purpose,” inProceedings of the 20th Workshop on Hot Topics in Operating Systems. ACM, 2025. [Online]. Available: https://arxiv.org/abs/2501.17070

  64. [65]

    SAGA: A security architecture for governing AI agentic systems,

    G. Syros, A. Suri, J. Ginesin, C. Nita-Rotaru, and A. Oprea, “SAGA: A security architecture for governing AI agentic systems,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026

  65. [66]

    Claude Code hooks reference,

    Anthropic, “Claude Code hooks reference,” 2026, https://code.claude. com/docs/en/hooks#hooks-reference (accessed 11, June, 2026)

  66. [67]

    Hermes Agent: Hooks,

    Nous Research, “Hermes Agent: Hooks,” 2026, https://hermes-agent. nousresearch.com/docs/user-guide/features/hooks (accessed 11, June, 2026)

  67. [68]

    Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,

    F. Liu, Y . Zhang, J. Luo, J. Dai, T. Chen, L. Yuan, Z. Yu, Y . Shi, K. Li, C. Zhouet al., “Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,” in34th USENIX Security Symposium. USENIX Association, 2025, pp. 3767–3786. Appendix A. Implementation DUALVIEW is implemented as an OpenClaw plugin, based on OpenClaw ...

  68. [69]

    Quarterly report

    https://github.com/compsec-snu/dualview /home/user/apple/banana/workspace ordinary workspace filesHumanView files .git/ordinary Git, optional ~/.dualview/workspaces/DUALVIEWfile-system management %2Fhome%2Fuser%2Fapple%2Fbanana/encoded workspace path repo.git/DUALVIEWGit agentview/Agent File Systemfor the workspace conflicts.logsync conflict log Figure 8:...