REVIEW 2 major objections 7 minor 65 references
AI agents fail to isolate trusted from untrusted data, so attackers can forge the metadata the agent relies on.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-11 08:30 UTC pith:ONU7D72C
load-bearing objection Solid applied security paper: ADI is a real, under-addressed IPI class with named-product PoCs and defense-gap data; format-knowledge is a real precondition but not a paper-killing flaw. the 2 major comments →
Agent Data Injection Attacks are Realistic Threats to AI Agents
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Agent data injection is a distinct class of indirect prompt injection: by injecting probabilistic delimiters into untrusted fields, an attacker makes the model interpret attacker-controlled content as trusted agent data, so the agent follows the user’s task but on forged security anchors. Existing defenses that only separate instructions from data do not stop this, and real web and coding agents are vulnerable in practice.
What carries the argument
Probabilistic delimiter injection: character sequences that tools treat as plain text (including escaped or inexact delimiters) but that language models still parse as structural boundaries, shifting untrusted payload into the trusted half of the agent context (formalized as LLM(I,(DT,DU∥DA))≈ADI LLM(I,(DT∥DA,DU))).
Load-bearing premise
The attacker can learn or recover the target agent’s data format—how tool responses, element IDs, and tool-call blocks are serialized—so the forged delimiters land in the right places.
What would settle it
If agents that fully isolate trusted metadata from untrusted fields (or randomize all security anchors so they cannot be forged) show near-zero ADI success while still completing the same tasks, the claim that current agents lack this isolation as a practical security gap would fail.
If this is right
- Defenses that only stop instruction injection will leave agents open to forged IDs, origins, and tool histories.
- Web agents that expose predictable element IDs can be steered into XSS-like arbitrary clicks from user-generated content.
- Coding agents that trust origin metadata or tool-call blocks can be tricked into RCE or merging malicious PRs without reviewing real code.
- Practical agent security needs fine-grained trusted/untrusted isolation inside agent data, not only instruction/data separation.
- Randomization of field names and IDs helps for key-value formats; broad sanitization of delimiters costs substantial utility.
Where Pith is reading between the lines
- Agent frameworks that serialize tool results as free-form text without a trusted schema layer will keep recreating this class of bug.
- The same pattern should appear in any agent that treats origin stamps, resource IDs, or prior tool transcripts as security anchors while still concatenating untrusted bodies into the same context.
- Format secrecy alone is a brittle control: once a format is observed or reverse-engineered once, every deployment sharing it becomes a target.
- Future red-team benchmarks for agents need separate ADI suites; instruction-injection scores alone will overstate security.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces agent data injection (ADI) as a distinct category of indirect prompt injection: rather than causing untrusted content to be read as instructions, ADI causes it to be read as trusted agent data (DT)—security-critical metadata such as element IDs, origin fields, or tool-call history—via probabilistic delimiter injection. The authors formalize the distinction from instruction injection (Eqs. 1–2), demonstrate end-to-end attacks on real web and coding agents (arbitrary click; RCE via origin spoof; supply-chain merge of a malicious PR), evaluate probabilistic delimiter injection on six off-the-shelf models (JSON and web DOM), and show that most existing IPI defenses leave substantial ADI ASR in an AgentDojo extension while instruction injection is near zero. They argue that current agents fail a basic isolation principle between trusted and untrusted data within the agent context.
Significance. If the results hold, the paper identifies a practically important and under-addressed attack surface for AI agents: defenses that only separate instructions from data do not protect security anchors that live inside agent data. The contribution is concrete rather than purely conceptual: named-product PoCs with responsible disclosure, a controlled delimiter-injection benchmark (multiple models, delimiter variants, structural consistency, randomization/sanitization), and an AgentDojo extension that cleanly contrasts ADI with instruction injection under several published defenses. Open artifacts and vendor disclosure strengthen the work. The framing (probabilistic vs deterministic delimiter injection; DT vs DU isolation) is useful for the field even if some end-to-end scenarios depend on format recovery.
major comments (2)
- [§4.3, §7, Appendix D] §3.1, §4.3, §7, and Appendix D: End-to-end realism of the tool-call/response injection (supply-chain) attack depends on recovering server-side tool-call block delimiters (e.g., <function_calls>/<function_results>, Gemini’s <ctrl46> tags). The paper recovers these via jailbreak and explicitly leaves systematic format extraction to future work. That is a load-bearing precondition for the §4.3 claim as stated, and weaker than the agent-side recoveries used for element-ID and origin injection (§4.1–§4.2), which are more convincingly realistic. Please either (i) qualify the supply-chain result as contingent on successful format extraction and separate it from the stronger agent-side PoCs in the abstract/intro impact claims, or (ii) provide reproducible evidence that the exact delimiters used at inference time are stably recoverable without privileged access. Isolated probabilistic misparsing
- [§6.2, Figure 9] §6.2 / Figure 9: Agent-level evaluation is reported only with GPT-5.2, while the LLM isolation study covers six models. The central claim that ADI is effective “in AI agent settings” and that defenses fail against ADI would be stronger with at least one additional model (or a short multi-model subset) under the same AgentDojo + defense harness, especially given model-dependent baseline ASR in Table 2 (31.3–43.3% JSON; 33.3–100% DOM). Without that, it is hard to know whether the ~50% ADI ASR and near-zero II ASR generalize beyond a single hardened API. A limited multi-model agent run, or a clear limitation statement with expected variance, is needed for the agent-setting claim.
minor comments (7)
- [Abstract, §1] Abstract and §1: Phrases such as “easily bypasses existing IPI defenses” should be aligned with §5–§6.2, where CaMeL Strict achieves 0% ASR (at large utility cost) and randomization/sandboxing partially help. Prefer “most existing instruction-focused defenses” or similar.
- [Figure 2, Figure 4] Figure 2 / Figure 4: The trusted/untrusted coloring is helpful; ensure the caption explicitly states which fields are DT vs DU for readers skimming the formalization in §3.2.
- [Table 3] Table 3: “real” delimiters are shown with ASR “–”; a one-line note that true unescaped delimiters are often blocked by tool escaping (JSON) or are the baseline DOM case would avoid confusion.
- [§5, Table 2] §5 Randomization: ChatGPT Atlas is cited as using nonces; a brief note on whether nonce entropy/length assumptions are stated would help readers assess ASR-C vs ASR-N in Table 2.
- [§4, Appendix E] §E PoC figures: Confirmation dialogs (Figures 13, 16, 20) are important evidence that UI approval is insufficient; consider calling this out once in the main §4 text with a single cross-reference rather than only in the appendix.
- [References, Abstract, §8] Typos / polish: “https://https://code.claude.com” in the Claude Code reference; “signifying that current AI agents do not employ a fundamental security principle: current agents do not isolate…” is redundant—tighten once in abstract and conclusion.
- [§7] Related work: Concurrent “data injection” on resumes [65] is distinguished; a short sentence on how ADI relates to classic structured-injection literature beyond SQL/XSS (e.g., log/header injection, multipart parsers) would situate probabilistic delimiter injection more clearly.
Circularity Check
No circular derivation: ADI is an empirical security claim measured on external models, agents, and defenses, not a result forced by its own definitions or self-citations.
full rationale
This is an empirical systems/security paper. The central claim—that probabilistic delimiter injection can make LLMs treat untrusted fields as trusted agent data (DT), yielding realistic end-to-end impact and bypassing instruction/data-separation defenses—is supported by (i) a definitional formalization contrasting II vs ADI (Eqs. 1–2), which frames the attack class rather than deriving measured impact from itself; (ii) PoCs on third-party agents (Claude in Chrome, Antigravity, Nanobrowser, Claude Code, Codex, Gemini CLI); and (iii) quantitative ASR/utility on off-the-shelf LLMs and AgentDojo under external defense implementations (Prompt Guard, LlamaFirewall, IsolateGPT, Progent, CaMeL). There is no fitted parameter renamed as a prediction, no uniqueness theorem imported from the authors to forbid alternatives, and no load-bearing self-citation chain that reduces the result to an unverified prior claim by the same group. Self-citations (e.g., Prompt Flow Integrity as related dual-LLM/IFC work) are background, not the proof of ADI effectiveness. Threat-model caveats about format recovery (jailbreaks for server-side delimiters) affect realism assumptions, not circularity of the derivation. Score 0 is the honest finding.
Axiom & Free-Parameter Ledger
axioms (5)
- domain assumption LLMs interpret structured agent data probabilistically and can treat inexact or escaped delimiter-like sequences as structural boundaries.
- domain assumption Real agent tools concatenate trusted metadata and attacker-controllable fields into one LLM-visible context without a hard isolation boundary.
- domain assumption Attacker can write content into external resources the agent later retrieves (comments, emails, PR descriptions, reviews) but cannot edit system/user prompts.
- ad hoc to paper Attacker knows or can recover the agent’s data format (serialization, IDs, tool-call delimiters).
- domain assumption User confirmation dialogs that omit precise element/rationale details do not reliably stop attacks once the LLM’s reasoning is already poisoned.
invented entities (2)
-
Agent data injection (ADI) as an IPI category
independent evidence
-
Probabilistic delimiter injection
independent evidence
read the original abstract
AI agents act on behalf of user prompts, consuming external data and taking actions based on the agent context. Prior research on AI agent security has primarily focused on indirect prompt injection (IPI). Its most well-studied category is instruction injection, where attacker-controlled untrusted data is interpreted as an instruction. In response, many mitigations have been proposed to prevent instruction injection attacks. In this paper, we introduce a new category of IPI, agent data injection attacks (ADI). ADI injects malicious data disguised as trusted data, such as security-critical metadata (e.g., resource identifiers or data origins) or agent context data (e.g., tool call and response formats). As a result, agents unknowingly execute unintended actions based on attacker-controlled data. ADI has similar attack impacts as instruction injection attacks, because it causes agents to misbehave and execute unintended actions. Despite the similar impact, ADI remains underexplored and easily bypasses existing IPI defenses. We found several critical vulnerabilities in real-world agents that allow an attacker to launch various attacks: arbitrary click attacks on web agents (Claude in Chrome, Antigravity, and Nanobrowser), and remote code execution and supply-chain attacks on coding agents (Claude Code, Codex, and Gemini CLI). We evaluate ADI vulnerabilities across off-the-shelf models and AI agents, and find that ADI is effective in both standalone LLMs and AI agent settings. ADI exposes a critical gap in agent security, signifying that current AI agents do not employ a fundamental security principle: current agents do not isolate trusted data from untrusted data.
Figures
Reference graph
Works this paper leans on
-
[1]
Chatgpt,
OpenAI, “Chatgpt,” 2026, https://chat.openai.com (accessed 11, June, 2026)
2026
-
[2]
Claude in chrome,
Anthropic, “Claude in chrome,” 2026, https://www.claude.com/chrome (accessed 11, June, 2026)
2026
-
[3]
Google gemini cli,
Google, “Google gemini cli,” 2026, https://geminicli.com (accessed 11, June, 2026)
2026
-
[4]
Cross-site scripting (xss) attacks and defense mechanisms: classification and state-of-the-art,
S. Gupta and B. B. Gupta, “Cross-site scripting (xss) attacks and defense mechanisms: classification and state-of-the-art,”International Journal of System Assurance Engineering and Management, vol. 8, no. Suppl 1, pp. 512–530, 2017
2017
-
[5]
Clarke-Salt,SQL injection attacks and defense
J. Clarke-Salt,SQL injection attacks and defense. Elsevier, 2009
2009
-
[6]
Not what you’ve signed up for: Compromising real- world llm-integrated applications with indirect prompt injection,
K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real- world llm-integrated applications with indirect prompt injection,” in Proceedings of the 16th ACM workshop on artificial intelligence and security, 2023, pp. 79–90
2023
-
[7]
Prompt injection attack against llm-integrated applications,
Y . Liu, G. Deng, Y . Li, K. Wang, Z. Wang, X. Wang, T. Zhang, Y . Liu, H. Wang, Y . Zhenget al., “Prompt injection attack against llm-integrated applications,”arXiv preprint arXiv:2306.05499, 2023
Pith/arXiv arXiv 2023
-
[8]
Imprompter: Tricking llm agents into improper tool use,
X. Fu, S. Li, Z. Wang, Y . Liu, R. K. Gupta, T. Berg-Kirkpatrick, and E. Fernandes, “Imprompter: Tricking llm agents into improper tool use,”arXiv preprint arXiv:2410.14923, 2024
Pith/arXiv arXiv 2024
-
[9]
The instruction hierarchy: Training llms to prioritize privileged instructions,
E. Wallace, K. Xiao, R. Leike, L. Weng, J. Heidecke, and A. Beutel, “The instruction hierarchy: Training llms to prioritize privileged instructions,”arXiv preprint arXiv:2404.13208, 2024
Pith/arXiv arXiv 2024
-
[10]
{StruQ}: Defending against prompt injection with structured queries,
S. Chen, J. Piet, C. Sitawarin, and D. Wagner, “ {StruQ}: Defending against prompt injection with structured queries,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 2383–2400
2025
-
[11]
Datasentinel: A game-theoretic detection of prompt injection attacks,
Y . Liu, Y . Jia, J. Jia, D. Song, and N. Z. Gong, “Datasentinel: A game-theoretic detection of prompt injection attacks,” in2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 2190– 2208
2025
-
[12]
Promptarmor: Simple yet effective prompt injection defenses,
T. Shi, K. Zhu, Z. Wang, Y . Jia, W. Cai, W. Liang, H. Wang, H. Alzahrani, J. Lu, K. Kawaguchiet al., “Promptarmor: Simple yet effective prompt injection defenses,”arXiv preprint arXiv:2507.15219, 2025
Pith/arXiv arXiv 2025
-
[13]
Prompt flow integrity to prevent privilege escalation in llm agents,
J. Kim, W. Choi, and B. Lee, “Prompt flow integrity to prevent privilege escalation in llm agents,”arXiv preprint arXiv:2503.15547, 2025
Pith/arXiv arXiv 2025
-
[14]
Defeating prompt injections by design,
E. Debenedetti, I. Shumailov, T. Fan, J. Hayes, N. Carlini, D. Fabian, C. Kern, C. Shi, A. Terzis, and F. Tramèr, “Defeating prompt injections by design,”arXiv preprint arXiv:2503.18813, 2025
Pith/arXiv arXiv 2025
-
[15]
Claude code,
Anthropic, “Claude code,” 2026, https://https://code.claude.com (ac- cessed 11, June, 2026)
2026
-
[16]
OpenAI, “Codex,” 2026, https://openai.com/codex (accessed 11, June, 2026)
2026
-
[17]
Google antigravity,
Google, “Google antigravity,” 2026, https://antigravity.google (ac- cessed 11, June, 2026)
2026
-
[18]
Nanobrowser - open source ai web agent,
Nanobrowser, “Nanobrowser - open source ai web agent,” 2026, https: //nanobrowser.ai (accessed 11, June, 2026)
2026
-
[19]
Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,
E. Debenedetti, J. Zhang, M. Balunovic, L. Beurer-Kellner, M. Fischer, and F. Tramèr, “Agentdojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,” inThe Thirty-eight Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2024. [Online]. Available: https://openreview.net/forum?id=m1YY AQjO3w
2024
-
[20]
Toolformer: Language models can teach themselves to use tools,
T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, E. Ham- bro, L. Zettlemoyer, N. Cancedda, and T. Scialom, “Toolformer: Language models can teach themselves to use tools,”Advances in Neural Information Processing Systems, vol. 36, pp. 68 539–68 551, 2023
2023
-
[21]
Anthropic, “Claude,” 2026, https://www.claude.ai (accessed 11, June, 2026)
2026
-
[22]
Prompt infection: Llm-to-llm prompt injection within multi-agent systems,
D. Lee and M. Tiwari, “Prompt infection: Llm-to-llm prompt injection within multi-agent systems,”arXiv preprint arXiv:2410.07283, 2024
Pith/arXiv arXiv 2024
-
[23]
Eia: Environmental injection attack on generalist web agents for privacy leakage,
Z. Liao, L. Mo, C. Xu, M. Kang, J. Zhang, C. Xiao, Y . Tian, B. Li, and H. Sun, “Eia: Environmental injection attack on generalist web agents for privacy leakage,” inICLR, 2025
2025
-
[24]
Agentvigil: Generic black-box red-teaming for indirect prompt injection against llm agents,
Z. Wang, V . Siu, Z. Ye, T. Shi, Y . Nie, X. Zhao, C. Wang, W. Guo, and D. Song, “Agentvigil: Generic black-box red-teaming for indirect prompt injection against llm agents,” inFindings of the Association for Computational Linguistics: EMNLP. Association for Computational Linguistics, 2025, pp. 23 159–23 172
2025
-
[25]
Dissecting adversarial robustness of multimodal lm agents,
C. H. Wu, R. Shah, J. Y . Koh, R. Salakhutdinov, D. Fried, and A. Raghunathan, “Dissecting adversarial robustness of multimodal lm agents,” inICLR, 2025
2025
-
[26]
Data execution prevention,
Microsoft, “Data execution prevention,” 2009, https: //learn.microsoft.com/en-us/previous-versions/windows/it- pro/windows-xp/bb457155(v=technet.10)#data-execution-prevention (accessed 11, June, 2026)
2009
-
[27]
Formalizing and benchmarking prompt injection attacks and defenses,
Y . Liu, Y . Jia, R. Geng, J. Jia, and N. Z. Gong, “Formalizing and benchmarking prompt injection attacks and defenses,” inUSENIX Security, 2024
2024
-
[28]
Delimiters won’t save you from prompt injection,
S. Wilison, “Delimiters won’t save you from prompt injection,” 2023, https://simonwillison.net/2023/May/11/delimiters-wont-save-you/ (ac- cessed 11, June, 2026)
2023
-
[29]
B. Nassi, S. Cohen, and O. Yair, “Invitation is all you need! prompt- ware attacks against llm-powered assistants in production are practical and dangerous,”arXiv preprint arXiv:2508.12175, 2025
Pith/arXiv arXiv 2025
-
[30]
Chatgpt atlas,
OpenAI, “Chatgpt atlas,” 2026, https://chatgpt.com/atlas (accessed 11, June, 2026)
2026
-
[31]
Pytorch: An imperative style, high-performance deep learning library,
A. Paszke, S. Gross, F. Massa, A. Lerer, J. Bradbury, G. Chanan, T. Killeen, Z. Lin, N. Gimelshein, L. Antigaet al., “Pytorch: An imperative style, high-performance deep learning library,”Advances in neural information processing systems, vol. 32, 2019
2019
-
[32]
{TensorFlow}: a system for {Large-Scale} machine learning,
M. Abadi, P. Barham, J. Chen, Z. Chen, A. Davis, J. Dean, M. Devin, S. Ghemawat, G. Irving, M. Isardet al., “ {TensorFlow}: a system for {Large-Scale} machine learning,” in12th USENIX symposium on operating systems design and implementation (OSDI 16), 2016, pp. 265–283
2016
-
[33]
Github cli,
GitHub, Inc., “Github cli,” 2026, https://cli.github.com/ (accessed 11, 14 June, 2026)
2026
-
[34]
Github mcp server,
——, “Github mcp server,” 2025, https://github.com/github/github- mcp-server (accessed 11, June, 2026)
2025
-
[35]
Keeping llms aligned after fine-tuning: The crucial role of prompt templates,
K. Lyu, H. Zhao, X. Gu, D. Yu, A. Goyal, and S. Arora, “Keeping llms aligned after fine-tuning: The crucial role of prompt templates,” Advances in Neural Information Processing Systems, vol. 37, pp. 118 603–118 631, 2024
2024
-
[36]
Llamafirewall: An open source guardrail system for building secure ai agents,
S. Chennabasappa, C. Nikolaidis, D. Song, D. Molnar, S. Ding, S. Wan, S. Whitman, L. Deason, N. Doucette, A. Montillaet al., “Llamafirewall: An open source guardrail system for building secure ai agents,”arXiv preprint arXiv:2505.03574, 2025
Pith/arXiv arXiv 2025
-
[37]
Design patterns for securing llm agents against prompt injections,
L. Beurer-Kellner, B. Buesser, A.-M. Cre¸ tu, E. Debenedetti, D. Dobos, D. Fabian, M. Fischer, D. Froelicher, K. Grosse, D. Naeffet al., “Design patterns for securing llm agents against prompt injections,” arXiv preprint arXiv:2506.08837, 2025
Pith/arXiv arXiv 2025
-
[38]
IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems,
Y . Wu, F. Roesner, T. Kohno, N. Zhang, and U. Iqbal, “IsolateGPT: An Execution Isolation Architecture for LLM-Based Agentic Systems,” inNetwork and Distributed System Security (NDSS) Symposium, 2025
2025
-
[39]
Ace: A security architecture for llm-integrated app systems,
E. Li, T. Mallick, E. Rose, W. Robertson, A. Oprea, and C. Nita- Rotaru, “Ace: A security architecture for llm-integrated app systems,” arXiv preprint arXiv:2504.20984, 2025
Pith/arXiv arXiv 2025
-
[40]
Progent: Programmable privilege control for llm agents,
T. Shi, J. He, Z. Wang, H. Li, L. Wu, W. Guo, and D. Song, “Progent: Programmable privilege control for llm agents,”arXiv preprint arXiv:2504.11703, 2025
Pith/arXiv arXiv 2025
-
[41]
Contextual agent security: A policy for every purpose,
L. Tsai and E. Bagdasarian, “Contextual agent security: A policy for every purpose,” inProceedings of the 2025 Workshop on Hot Topics in Operating Systems, 2025, pp. 8–17
2025
-
[42]
Towards automating data access permissions in ai agents,
Y . Wu, K. Yang, F. Roesner, T. Kohno, N. Zhang, and U. Iqbal, “Towards automating data access permissions in ai agents,” in2026 IEEE Symposium on Security and Privacy (SP), 2026
2026
-
[43]
The dual llm pattern for building ai assistants that can resist prompt injection,
S. Willison, “The dual llm pattern for building ai assistants that can resist prompt injection,” 2023, https://simonwillison.net/2023/Apr/25/ dual-llm-pattern/ (accessed 11, June, 2026)
2023
-
[44]
F. Wu, E. Cecchetti, and C. Xiao, “System-level defense against indi- rect prompt injection attacks: An information flow control perspective,” arXiv preprint arXiv:2409.19091, 2024
Pith/arXiv arXiv 2024
-
[45]
Securing ai agents with information-flow control,
M. Costa, B. Köpf, A. Kolluri, A. Paverd, M. Russinovich, A. Salem, S. Tople, L. Wutschitz, and S. Zanella-Béguelin, “Securing ai agents with information-flow control,”arXiv preprint arXiv:2505.23643, 2025
Pith/arXiv arXiv 2025
-
[46]
Permissive information-flow analysis for large language models,
S. A. Siddiqui, R. Gaonkar, B. Köpf, D. Krueger, A. Paverd, A. Salem, S. Tople, L. Wutschitz, M. Xia, and S. Zanella-Béguelin, “Permissive information-flow analysis for large language models,”arXiv preprint arXiv:2410.03055, 2024
arXiv 2024
-
[47]
How good are llms at processing tool outputs?
K. Kate, Y . Rizk, P. Ghosh, A. Gulati, T. Chakraborti, Z. Wright, and M. Agarwal, “How good are llms at processing tool outputs?”arXiv preprint arXiv:2510.15955, 2025
arXiv 2025
-
[48]
Llama prompt guard 2,
Meta AI, “Llama prompt guard 2,” 2025, https://huggingface.co/meta- llama/Llama-Prompt-Guard-2-86M (accessed 11, June, 2026)
2025
-
[49]
React: Synergizing reasoning and acting in language models,
S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. R. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,” inThe eleventh international conference on learning representations, 2022
2022
-
[50]
Great, now write an article about that: The crescendo {Multi-Turn}{LLM} jailbreak attack,
M. Russinovich, A. Salem, and R. Eldan, “Great, now write an article about that: The crescendo {Multi-Turn}{LLM} jailbreak attack,” in 34th USENIX Security Symposium (USENIX Security 25), 2025
2025
-
[51]
Universal adversarial triggers for attacking and analyzing NLP,
E. Wallace, S. Feng, N. Kandpal, M. Gardner, and S. Singh, “Universal adversarial triggers for attacking and analyzing NLP,” inEmpirical Methods in Natural Language Processing, 2019
2019
-
[52]
Autodan: Generating stealthy jailbreak prompts on aligned large language models,
X. Liu, N. Xu, M. Chen, and C. Xiao, “Autodan: Generating stealthy jailbreak prompts on aligned large language models,” inThe Twelfth International Conference on Learning Representations, 2024
2024
-
[53]
Open sesame! universal black- box jailbreaking of large language models,
R. Lapid, R. Langberg, and M. Sipper, “Open sesame! universal black- box jailbreaking of large language models,”Applied Sciences, vol. 14, no. 16, p. 7150, 2024
2024
-
[54]
Jailbreak attacks and defenses against large language models: A survey,
S. Yi, Y . Liu, Z. Sun, T. Cong, X. He, J. Song, K. Xu, and Q. Li, “Jailbreak attacks and defenses against large language models: A survey,”arXiv preprint arXiv:2407.04295, 2024
Pith/arXiv arXiv 2024
-
[55]
Pleak: Prompt leaking attacks against large language model applications,
B. Hui, H. Yuan, N. Gong, P. Burlina, and Y . Cao, “Pleak: Prompt leaking attacks against large language model applications,” inPro- ceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024
2024
-
[56]
Ignore previous prompt: Attack techniques for language models,
F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,”arXiv preprint arXiv:2211.09527, 2022
Pith/arXiv arXiv 2022
-
[57]
Effective prompt extraction from language models,
Y . Zhang, N. Carlini, and D. Ippolito, “Effective prompt extraction from language models,”arXiv preprint arXiv:2307.06865, 2024
Pith/arXiv arXiv 2024
-
[58]
Les dissonances: Cross-tool harvesting and polluting in multi-tool empowered llm agents,
Z. Li, J. Cui, X. Liao, and L. Xing, “Les dissonances: Cross-tool harvesting and polluting in multi-tool empowered llm agents,” in NDSS, 2026
2026
-
[59]
Task injection – exploiting agency of autonomous ai agents,
J. Kokatsu, “Task injection – exploiting agency of autonomous ai agents,” 2025, https://bughunters.google.com/blog/task-injection- exploiting-agency-of-autonomous-ai-agents (accessed 11, June, 2026)
2025
-
[60]
Optimization-based prompt injection attack to llm-as-a-judge,
J. Shi, Z. Yuan, Y . Liu, Y . Huang, P. Zhou, L. Sun, and N. Z. Gong, “Optimization-based prompt injection attack to llm-as-a-judge,” in Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024
2024
-
[61]
Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases,
Z. Chen, Z. Xiang, C. Xiao, D. Song, and B. Li, “Agentpoison: Red-teaming llm agents via poisoning memory or knowledge bases,” Advances in Neural Information Processing Systems, vol. 37, pp. 130 185–130 213, 2024
2024
-
[62]
Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents,
Q. Zhan, Z. Liang, Z. Ying, and D. Kang, “Injecagent: Benchmarking indirect prompt injections in tool-integrated large language model agents,”arXiv preprint arXiv:2403.02691, 2024
Pith/arXiv arXiv 2024
-
[63]
Benchmarking and defending against indirect prompt injection attacks on large language models,
J. Yi, Y . Xie, B. Zhu, E. Kiciman, G. Sun, X. Xie, and F. Wu, “Benchmarking and defending against indirect prompt injection attacks on large language models,” inProceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V . 1, 2025, pp. 1809–1820
2025
-
[64]
WASP: Benchmarking web agent security against prompt injection attacks,
I. Evtimov, A. Zharmagambetov, A. Grattafiori, C. Guo, and K. Chaud- huri, “WASP: Benchmarking web agent security against prompt injection attacks,” inThe Thirty-ninth Annual Conference on Neural Information Processing Systems Datasets and Benchmarks Track, 2026
2026
-
[65]
Measuring real-world prompt injection attacks in llm-based resume screening,
M. Zhang, Y . Jia, Z. Tan, S. Jiang, N. Z. Gong, T. Chen, and D. Song, “Measuring real-world prompt injection attacks in llm-based resume screening,”arXiv preprint arXiv:2605.28999, 2026. Appendix A. Probabilistic Delimiter Injection Benchmark Details Table 5 details the seven data categories used in the probabilistic delimiter injection evaluation (§6.1)...
Pith/arXiv arXiv 2026
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.