Pith. sign in

REVIEW 2 major objections 10 minor 34 references

LLMs hallucinate resource names — attackers can squat them for botnets

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · glm-5.2

2026-07-09 10:54 UTC pith:SOONOOV3

load-bearing objection New attack class: LLM hallucination squatting against agentic apps — real, but end-to-end evidence is narrow the 2 major comments →

arxiv 2607.07433 v1 pith:SOONOOV3 submitted 2026-07-08 cs.CR

Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting

classification cs.CR
keywords promptwarehallucination squattingagentic LLM securityindirect prompt injectionbotnettyposquattingsupply chain attackremote code execution
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper introduces adversarial HalluSquatting, a technique that exploits a structural property of large language models — their tendency to predictably hallucinate identifiers for resources not in their training data — to mount scalable, untargeted attacks against agentic LLM applications without any direct injection channel. The core mechanism is: when a user asks an AI coding assistant or AI assistant to clone a trending repository or install a trending skill, the underlying LLM must resolve a partial name to a full identifier (e.g., owner/repo on GitHub or a skill slug on a marketplace). For resources created after the model's training cutoff, the model fabricates the missing identifier component. The paper shows these fabrications are systematic, transferable across model families (Gemini, GPT, Claude), and concentrated enough that an attacker can predict the most likely hallucinated identifier, register it in advance, and embed adversarial prompts in the registered resource. When the agent hallucinates the squatted identifier, it fetches the attacker-controlled resource, ingests its content as trusted context, and executes embedded instructions — achieving remote code execution at rates of 20–100% across six production coding assistants (Cursor, Windsurf, Gemini CLI, Copilot, Cline, OpenClaw) and three assistant platforms. The paper identifies a self-referential hallucination pattern (repo-name/repo-name) as a zero-probing attack vector requiring no model queries at all, and a word-removal pattern in skill installation where boilerplate tokens are stripped from user requests. The attack scales because one registered resource intercepts traffic from many independent users issuing common prompts about trending resources, enabling botnet formation through reverse shells installed via the agent's integrated terminal.

Core claim

The central discovery is that LLM hallucinations of resource identifiers are not random errors but predictable, transferable, and exploitable at scale. The paper demonstrates this through three findings: (1) For repositories created after a model's training cutoff, foundational LLMs hallucinate the repository owner in 92% of cases (vs. 0.9% for older repositories), with a self-referential pattern (repo-name/repo-name) appearing across all six model families tested and serving as the top hallucination in 15 of 60 repository-model combinations. (2) These hallucinations transfer from the foundational model layer into production applications, where they manifest as executed git clone commands or

What carries the argument

The attack pipeline operates in six steps: (0) Preparation — the attacker identifies trending resources, probes an LLM to compute a distribution over hallucinated identifiers, identifies the highest-probability squattable candidate (the universal squatting candidate, computed via Algorithms 1 and 2 which aggregate per-model distributions into a cross-model consensus score), registers that identifier, and embeds promptware. (1) Trigger — a user issues a routine prompt like 'clone librepods' or 'install skill vetter'. (2) Planning — the agentic application uses its LLM to plan resource retrieval. (3) Hallucination — the LLM fabricates the missing identifier component (e.g., the GitHub owner),产

Load-bearing premise

The attack's real-world scalability depends on hallucinated identifiers being both registrable and concentrated enough that a small number of registrations intercept a meaningful fraction of user traffic. The paper's own data shows high variance: some repository-model combinations produce up to 91 distinct hallucinated slugs, the top universal candidate captures only 9–35% of hallucinations per repository, and end-to-end success is measured against a single carefully selected

What would settle it

The attack would fail to scale if hallucinated identifiers were uniformly distributed across hundreds of distinct values (making any single registration ineffective), if platforms enforced global name uniqueness preventing namespace squatting, or if agentic applications universally enforced search-before-fetch workflows. The paper's own data shows that four of six models in Cursor CLI invoke web search 59–99% of the time, dropping hallucination to 1.5–8% — suggesting that mandatory search would largely close the vulnerability.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Agentic applications that integrate terminal access and retrieve external resources by partial names are vulnerable to a new class of supply-chain-style attack where the supply chain is the LLM's own prediction errors, not a compromised package registry.
  • Web search before resource retrieval is the most effective mitigation identified: when applications search before fetching, 93.4% of outcomes are correct; without search, 99.1% are hallucinated. But search is invoked inconsistently — skipped in 32% of slug-producing runs — and depends on both the model and prompt phrasing, meaning no prompt is universally safe.
  • The self-referential hallucination pattern enables a zero-probing attack: an attacker who registers the repo-name username for each new GitHub Trending entry intercepts hallucinated clones across all models without ever querying an LLM, lowering the attack barrier to near zero.
  • Platforms like GitHub and ClawHub face a structural dilemma: allowing namespace-based registration (owner/repo) enables squatting, but eliminating namespaces breaks existing addressing. The paper's disclosure responses show most vendors classify this as out-of-scope for bug bounties, treating it as expected behavior rather than a platform vulnerability.
  • The attack surface extends beyond repositories and skills to any platform where LLMs resolve partial identifiers to full resource locations — Docker Hub, Hugging Face, package registries, and the broader web.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The training-cutoff boundary creates a temporal vulnerability window: any resource that becomes popular after a model's training data was collected is a candidate for hallusquatting until the next model update. This means the attack surface regenerates continuously as new trending resources appear faster than models are retrained.
  • The concentration of hallucinations varies sharply across models (some lock onto a single slug in 90%+ of runs, others distribute across up to 91 distinct slugs), which means the attack's real-world success rate depends heavily on the victim's specific model and application configuration. The paper's end-to-end results are measured against a single case-study target (librepods) where the self-refe
  • If platforms adopt proactive registration of likely hallucinated identifiers (analogous to typosquatting defenses), this creates an arms race: the defender must predict the same distribution the attacker predicts, but the defender must cover all models while the attacker needs only one registrable slug to succeed.
  • The word-removal vulnerability in skill installation (V1) is caused by the over-representation of the token 'skill' in ClawHub's install-guidance documentation loaded into the agent's context — suggesting that any boilerplate documentation repeatedly exposing a token creates a systematic stripping bias that can be exploited for any resource type with similar documentation patterns.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 10 minor

Summary. The paper introduces 'adversarial hallucination squatting,' a technique where an attacker identifies trending resources (GitHub repositories, ClawHub skills), predicts LLM-hallucinated resource identifiers via probing, preemptively registers those identifiers, and embeds promptware payloads. The work spans two attack surfaces: (1) repository squatting against coding assistants (Cursor, Windsurf, Gemini CLI, Copilot, Cline) and (2) skill squatting against personal assistants (OpenClaw, ZeroClaw, NanoClaw). The foundational-layer experiments (Section 3.3) systematically measure hallucination rates across six LLMs and 15 repositories, finding near-100% hallucination for recent repositories and near-0% for old ones. The application-layer experiments (Section 3.4) measure how hallucinations propagate into production assistants and how web search mitigates them. End-to-end attacks (Table 1) demonstrate RCE and tool invocation at rates of 20-100% across applications. The skill-squatting experiments (Section 4) identify two vulnerability classes (V1: word removal, V2: display-name/slug divergence) and demonstrate 90%+ squat rates across skills and assistants. The paper includes responsible disclosure to all affected vendors and IRB approval.

Significance. The paper makes a significant contribution to the promptware and LLM security literature by identifying a novel, scalable, untargeted attack vector that requires no direct injection channel. The foundational-layer experiments are rigorous: 14,000+ runs across six LLMs, well-controlled with old-repository baselines (Table 3), and the universal scoring algorithm (Algorithms 1-2) provides a principled, parameter-light method for ranking squatting candidates. The discovery that self-referential slugs (repo-name/repo-name) enable a zero-probing attack is a particularly sharp and actionable finding. The skill-squatting analysis (V1/V2 classes) is well-structured and the cross-assistant transferability results (Table 11) are convincing. The responsible disclosure process, with documented vendor responses, adds practical value. The paper's core insight—that LLM hallucination is predictable, transferable, and exploitable for untargeted promptware—is both novel and well-supported by the breadth of experimentation.

major comments (2)
  1. §3.4.4, Table 1: The end-to-end attack results (20-65% RCE across coding assistants) are demonstrated exclusively against the librepods repository, which has an unusually favorable hallucination concentration (51-57% universal score, Table 13). Table 5 shows that for the other 10 trending repositories, the top-1 universal candidate captures only 9-35% of hallucinations, and the top-5 together capture 24-84%. The central scalability claim would be substantially strengthened by at least one additional end-to-end demonstration against a repository with less favorable concentration (e.g., Kronos at 13.9% or Archon at 16.7%). Without this, the reader cannot assess how the end-to-end success rate degrades for typical repositories. The authors should either provide such a demonstration or explicitly scope the Table 1 results as a best-case bound and discuss the expected degradation.
  2. §3.4.1: Four of six models in Cursor CLI invoke web search 59-99% of the time, dropping hallucination to 1.5-8% for recent repositories. This means the end-to-end attack (Table 1) is only viable for the two Claude models that avoid search. The paper's framing of the attack as 'universal across multiple LLM coding assistants' (Insight 7) should be qualified: the attack is universal across the tested applications, but its success is heavily conditioned on the model's search behavior. The paper should clarify which models were used in the end-to-end trials (Table 1 does not specify the model for each application) and report the per-model end-to-end success rate, so the reader can assess whether the 20-65% figures reflect search-avoiding models or an average across all models including search-prone ones.
minor comments (10)
  1. Abstract: 'from the Inte' appears to be a truncation; should read 'from the Internet.'
  2. §1, paragraph 4: 'comprised resource' should be 'compromised resource.' This typo recurs in the threat model description.
  3. Table 1: The 'Overall' column is unlabeled in the caption; it should be defined as the product of resource-fetched rate and payload-execution rate, or whatever aggregation method was used.
  4. Table 1: Sample sizes are inconsistent (20 trials for coding assistants, 10 for OpenClaw/ZeroClaw/NanoClaw). The caption should note this and explain the rationale for the different sample sizes.
  5. §3.3.1: The mean hallucination rate of 92.4% for recent repositories is reported, but the per-model means in Table 3 range from 72.3% (Opus) to 100% (Gemini Flash/Pro). The text should clarify whether 92.4% is the mean across all 60 (repo, model) combinations or the mean of per-model means.
  6. §3.3.2, Insight 3: The claim that 'every trending repository has at least one registrable squatting candidate within the top 10 universal scores' is strong but the supporting data (Table 5) only shows the top-1 candidate. The full top-10 rankings should be referenced or included in the appendix to support this claim.
  7. §4.2, V2 non-English sub-case: The claim that ClawHub's similarity search is 'dominated by English tokens' is plausible but not independently verified. A brief analysis of the search ranking algorithm or a controlled experiment varying the documentation language would strengthen this claim.
  8. §7 (Limitations): The discussion of malware detection bypass is brief and relies on external references. The paper should state more directly that the end-to-end experiments used locally modified payloads (not published malicious content) and that the actual detection rate of platform scanning mechanisms was not tested.
  9. Table 5 caption: 'Score: probability score across all six models' is ambiguous. It should clarify whether this is the universal score from Algorithm 2 (sum of normalized per-model distributions divided by |M|) or a simple average.
  10. §3.4.4: The phrase 'payload sophistication as a lower bound' is used but the two payloads tested (explicit AI-targeting markers vs. disguised utility script) represent a narrow range. The claim that results constitute a 'lower bound on attacker capability' should be qualified or the payload spectrum should be documented.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for a careful and constructive review. Both major comments are well-taken and point to legitimate gaps in how the end-to-end results are scoped and contextualized. We address each below.

read point-by-point responses
  1. Referee: §3.4.4, Table 1: The end-to-end attack results (20-65% RCE across coding assistants) are demonstrated exclusively against the librepods repository, which has an unusually favorable hallucination concentration (51-57% universal score, Table 13). Table 5 shows that for the other 10 trending repositories, the top-1 universal candidate captures only 9-35% of hallucinations, and the top-5 together capture 24-84%. The central scalability claim would be substantially strengthened by at least one additional end-to-end demonstration against a repository with less favorable concentration (e.g., Kronos at 13.9% or Archon at 16.7%). Without this, the reader cannot assess how the end-to-end success rate degrades for typical repositories. The authors should either provide such a demonstration or explicitly scope the Table 1 results as a best-case bound and discuss the expected degradation.

    Authors: The referee is correct that the end-to-end results in Table 1 are demonstrated exclusively against librepods, which has an unusually favorable hallucination concentration (51-57% universal score). We agree that this leaves the reader unable to assess how the attack degrades for repositories with lower concentration. We will address this in two ways. First, we will explicitly scope the Table 1 results as a best-case bound in the revised manuscript, adding a paragraph in Section 3.4.4 that clarifies librepods was selected as a case study due to its high concentration and that the reported success rates should be interpreted as an upper bound on end-to-end effectiveness for a single registered squat. Second, we will add a discussion of expected degradation: for repositories like Kronos (13.9% top-1 universal score) or Archon (16.7%), the resource-fetch rate would scale proportionally to the universal score, and the overall end-to-end success rate would be the product of the fetch rate and the payload execution rate (which we observed to be relatively stable across assistants at 50-100%). We will include a back-of-envelope extrapolation table or paragraph. We note that the self-referential zero-probing attack (Insight 3) provides an additional attack path that does not depend on concentration at all, which partially mitigates the concentration concern for repositories where the self-referential slug is registrable. However, we agree that an additional end-to-end demonstration against a less favorable repository would be the strongest response, and we will attempt to conduct one against Kronos or Archon if time and ethical constraints permit before the camera-ready deadline. If we cannot complete it in time, the scoping and degradation discussion will be included regardless. revision: partial

  2. Referee: §3.4.1: Four of six models in Cursor CLI invoke web search 59-99% of the time, dropping hallucination to 1.5-8% for recent repositories. This means the end-to-end attack (Table 1) is only viable for the two Claude models that avoid search. The paper's framing of the attack as 'universal across multiple LLM coding assistants' (Insight 7) should be qualified: the attack is universal across the tested applications, but its success is heavily conditioned on the model's search behavior. The paper should clarify which models were used in the end-to-end trials (Table 1 does not specify the model for each application) and report the per-model end-to-end success rate, so the reader can assess whether the 20-65% figures reflect search-avoiding models or an average across all models including search-prone ones.

    Authors: The referee raises a valid and important point. Table 1 does in fact specify the model for each application (e.g., Cursor with Sonnet 4.5, Cursor CLI with Grok Code, Gemini CLI with Gemini 2.5, Windsurf with SWE-1.5, Copilot Chat with GPT-4.1, Cline with KAT-Coder-Pro V1), but we agree that the connection between these model choices and the search-behavior findings in Section 3.4.1 is not made explicit. The end-to-end trials used the default model for each application, and several of these models (e.g., Grok Code in Cursor CLI, Gemini 2.5 in Gemini CLI) are indeed models that exhibit lower search rates in our controlled experiments. We will revise the manuscript to: (1) add an explicit note in Section 3.4.4 cross-referencing the model choices in Table 1 with the search behavior results from Section 3.4.1, clarifying that the end-to-end results reflect the default model for each application and that applications whose default models search aggressively would be expected to show lower attack success rates; (2) qualify Insight 7 to state that the vulnerability is universal across the tested applications but that end-to-end success is conditioned on the model's search behavior, as demonstrated in Section 3.4.1; and (3) add a column or footnote to Table 1 indicating the search rate observed for each model in our controlled experiments. We agree that the current framing of Insight 7 overstates universality without this qualification. revision: yes

Circularity Check

0 steps flagged

No significant circularity; the attack pipeline is self-contained with one minor self-citation that is not load-bearing.

full rationale

The paper's core derivation chain is not circular. The attacker probes LLMs to discover hallucination distributions (Algorithm 1-2), registers resources externally on GitHub/ClawHub, and the victim independently fetches them. The universal score is computed from probing data and validated against separate end-to-end attack trials (Table 1). The self-referential hallucination pattern (repo-name/repo-name) is a structural prediction from the foundational-layer experiments, not a definition that presupposes the attack's success. The one self-citation (Cohen et al. [5], CCS'25) is used only for related-work positioning—contrasting targeted vs. untargeted attacks—and does not serve as a load-bearing premise for any derivation step. The end-to-end results in Table 1 are measured against live production systems, not derived from the authors' prior work. The paper's limitations (single case-study target librepods, web-search reducing hallucination) are correctly characterized as generalizability concerns, not circularity. The derivation is self-contained against external benchmarks (real production applications, real GitHub/ClawHub registrations, real RCE measurements). Score 1 reflects the minor self-citation that is contextual rather than load-bearing, and the absence of any step where a prediction reduces to its inputs by construction. The concern about librepods being an unusually favorable target is a validity/generalizability issue, not a circularity issue—the paper does not define librepods' hallucination rate in terms of the attack outcome, nor does it derive the attack success from a fitted parameter that is then 'predicted.' The probing data (Tables 3, 4, 5, 12, 13) is collected independently from the end-to-end attack measurements (Table 1), and the gap between them (e.g., web search dropping hallucination to 1.5-8%) is honestly reported rather than hidden or defined away. No step in the derivation chain reduces to its own inputs by construction, and no 'prediction' is equivalent to a fitted input renamed. The paper's claims may be overstated relative to its evidence (a correctness risk), but the logical structure of the argument is not circular. Honest non-finding of circularity is warranted here. The paper's own data sometimes contradicts its scalability claims (e.g., 91 distinct slugs for some combinations, 9-35% top-1 capture for non-librepods repos), but this is a problem of overgeneralization from a favorable case study, not of circular reasoning.

Axiom & Free-Parameter Ledger

3 free parameters · 4 axioms · 3 invented entities

The paper introduces one genuinely new technique (halluSquatting) with empirical validation, one new analytical concept (universal squatting candidate) with a clear algorithm, and one aspirational framing (agentic botnet) without end-to-end demonstration. The free parameters are sampling choices, not fitted constants. The domain assumptions are empirically supported but not formally derived.

free parameters (3)
  • K (probe count per model) = 100 (foundational), 20-50 (application)
    Number of queries used to build per-model hallucination distributions. Not fitted to the attack outcome; chosen as a practical sample size.
  • Universal score weighting = 1/|M| per model
    Equal weighting across models in Algorithm 2. A different weighting could change candidate rankings, but the choice is principled (no model dominates).
  • Trial count for skill experiments = 10
    Capped at 10 due to manual execution against live assistants. Small sample, but the paper acknowledges this.
axioms (4)
  • domain assumption LLMs hallucinate resource identifiers for resources not in their training data
    Section 3.3.1: the paper attributes the 92% hallucination rate for recent repos to their absence from training data. This is supported by the 0.9% rate for old repos, but the causal mechanism (training cutoff) is inferred, not proven.
  • domain assumption Hallucinations transfer across model families and to the application layer
    Section 3.3.2 and Tables 3-5: the paper shows cross-model transfer empirically but does not derive it from first principles. The self-referential pattern (repo-name/repo-name) is attributed to 'inherent biases at the model layer' without formal derivation.
  • domain assumption Agentic applications trust content from fetched resources
    Section 3.4.4: 'once the agent operates on attacker-controlled files, it applies the same trust as to legitimate project code.' This is observed empirically but not formally modeled.
  • domain assumption Trending resources generate sufficient user query volume to make squatting worthwhile
    Section 2, Attack Steps: the attack's scalability depends on high request volume for trending resources. The paper does not measure actual user query frequencies.
invented entities (3)
  • Adversarial HalluSquatting (attack technique) independent evidence
    purpose: Names the technique of predicting and pre-registering hallucinated resource identifiers
    Falsifiable: the hallucination rates are empirically measured, and the attack is demonstrated end-to-end against production systems.
  • Universal squatting candidate (concept) independent evidence
    purpose: A hallucinated slug that appears across multiple LLMs, enabling cross-model attacks
    Empirically validated: Table 5 shows candidates produced by 2-6 of 6 models, with registrability verified via GitHub REST API.
  • Agentic botnet (concept) no independent evidence
    purpose: Frames the attack as enabling botnet creation via compromised agentic applications
    The paper demonstrates RCE on individual machines but does not demonstrate actual botnet formation, command-and-control, or coordinated action across compromised machines. The botnet framing is aspirational.

pith-pipeline@v1.1.0-glm · 34031 in / 3184 out tokens · 554046 ms · 2026-07-09T10:54:45.694541+00:00 · methodology

0 comments
read the original abstract

The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware. While prior work has established that adversaries can exploit direct channels to LLM applications to apply promptware under weak threat models, many applications do not provide any direct channels that could be exploited for prompt injection beyond the Internet. This raises a question: can attackers exploit LLM applications at scale without any direct channels in practical threat models? In this work, we show that the inherent tendency of LLMs to hallucinate resource identifiers can be exploited to amplify untargeted promptware attacks that pull adversarial prompts at scale and could be exploited to establish a botnet. We introduce adversarial hallucination squatting, a technique in which attackers identify trending resources (e.g., popular repositories, popular skills, etc.), compute the LLM distribution of hallucinations on the trending resource names, and preemptively register them to host adversarial prompts. By leveraging the predictability and transferability of hallucinations across foundational LLMs and to application layers, adversaries can significantly amplify the reach of untargeted promptware under weak threat models and establish a botnet by exploiting LLM applications to install a bot on the device that pulled the compromised hallucinated resource from the Inter. We empirically demonstrate that hallucinated resource generation occurs at high rates, up to 85% in repository cloning scenarios and up to 100% in skill installation, and that these hallucinations transfer between foundational models and different prompts. We demonstrate the practicality of adversarial hallucination squatting against various production LLM applications with integrated terminals in their set of tools, achieving remote tool execution and remote code execution.

Figures

Figures reproduced from arXiv: 2607.07433 by Avishai Wool, Aya Spira, Ben Nassi, Elad Feldman, Ron Bitton, Stav Cohen.

Figure 1
Figure 1. Figure 1: Threat model are published. (ii) the ability to register a resource on public platforms (e.g., registering a new repository on GitHub or a new skill on ClawHub). Victim Applications. Target applications include agentic systems that retrieve external resources from the Internet in response to common user queries. These resources are often sourced from platforms that allow users to register or publish new co… view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages · 4 internal anchors

  1. [1]

    Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection

    Sahar Abdelnabi, Kai Greshake, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. InProceedings of the 16th ACM Workshop on Artificial Intelligence and Security, pages 79–90, 2023

  2. [2]

    Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou

    Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understanding the mirai botnet. In26th USENIX Security Symposium (USENIX...

  3. [3]

    Summary zenity research published black- hat

    Michael Bargury. Summary zenity research published black- hat. https://labs.zenity.io/p/summary-zenity-research-published- blackhat-2024, 2024

  4. [4]

    https://clawhub.ai, 2026

    ClawHub. https://clawhub.ai, 2026. Accessed: 2026-04-29

  5. [5]

    Here comes the ai worm: Preventing the propagation of adversarial self-replicating prompts within genai ecosystems

    Stav Cohen, Ron Bitton, and Ben Nassi. Here comes the ai worm: Preventing the propagation of adversarial self-replicating prompts within genai ecosystems. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 3975– 3989, 2025

  6. [6]

    librepods

    Kavish Devar. librepods. https://github.com/kavishdevar/librepods,

  7. [7]

    Accessed: 2026-04-29

  8. [8]

    The homograph attack

    Evgeniy Gabrilovich and Alex Gontmakher. The homograph attack. Commun. ACM, 45(2):128, February 2002

  9. [9]

    Trending

    GitHub. Trending. https://github.com/trending, 2026. Accessed: 2026-04-29

  10. [10]

    Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions

    Riley Goodside. Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions. Twitter, September 2022

  11. [11]

    Spaiware: Uncovering a novel artificial intelligence attack vector through persistent memory in llm applications and agents.Future Generation Computer Systems, 174:107994, 2026

    Manuel Herrador and Johann Rehberger. Spaiware: Uncovering a novel artificial intelligence attack vector through persistent memory in llm applications and agents.Future Generation Computer Systems, 174:107994, 2026

  12. [12]

    Holgers, D

    T. Holgers, D. E. Watson, and S. D. Gribble. Cutting through the confusion: A measurement study of homograph attacks. InUSENIX Annual Technical Conference, 2006

  13. [13]

    A survey of attack in- stances of cryptojacking targeting cloud infrastructure

    Keshani Jayasinghe and Guhanathan Poravi. A survey of attack in- stances of cryptojacking targeting cloud infrastructure. InProceedings of the 2020 2nd Asia Pacific Information Technology Conference, APIT ’20, page 100–107, New York, NY , USA, 2020. Association for Computing Machinery

  14. [14]

    Cloak and detonate: Scanner evasion and dynamic detection of agent skill malware, 2026

    Zimo Ji, Congying Xu, Zongjie Li, Yudong Gao, Xin Wei, Shuai Wang, and Shing-Chi Cheung. Cloak and detonate: Scanner evasion and dynamic detection of agent skill malware, 2026

  15. [15]

    Importing Phantoms: Measuring LLM Package Hallucination Vulnerabilities

    Arjun Krishna, Erick Galinkin, Leon Derczynski, and Jeffrey Martin. Importing phantoms: Measuring llm package hallucination vulnera- bilities.arXiv preprint arXiv:2501.19012, 2025

  16. [16]

    Agentic artificial intel- ligence as a new frontier in information systems: Promise, peril, and research opportunities.Information & Management, page 104317, 2026

    Naveen Kumar, Xiahua Wei, and Han Zhang. Agentic artificial intel- ligence as a new frontier in information systems: Promise, peril, and research opportunities.Information & Management, page 104317, 2026

  17. [17]

    Vercel breach tied to Context AI hack exposes limited customer credentials.The Hacker News, 2026

    Ravie Lakshmanan. Vercel breach tied to Context AI hack exposes limited customer credentials.The Hacker News, 2026

  18. [18]

    Investigating security implications of automatically generated code on the software supply chain.arXiv preprint arXiv:2509.20277, 2025

    Xiaofan Li and Xing Gao. Investigating security implications of automatically generated code on the software supply chain.arXiv preprint arXiv:2509.20277, 2025

  19. [19]

    Llm-based agents suffer from hallucinations: A survey of taxonomy, methods, and directions.arXiv preprint arXiv:2509.18970, 2025

    Xixun Lin, Yucheng Ning, Jingwen Zhang, Yan Dong, Yilong Liu, Yongxuan Wu, Xiaohua Qi, Nan Sun, Yanmin Shang, Kun Wang, et al. Llm-based agents suffer from hallucinations: A survey of taxonomy, methods, and directions.arXiv preprint arXiv:2509.18970, 2025

  20. [20]

    Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous

    Ben Nassi, Stav Cohen, and Or Yair. Invitation is all you need! promptware attacks against llm-powered assistants in production are practical and dangerous.arXiv preprint arXiv:2508.12175, 2025

  21. [21]

    The promptware kill chain: How prompt injections gradually evolved into a multi-step malware.arXiv preprint arXiv:2601.09625, 2026

    Ben Nassi, Bruce Schneier, and Oleg Brodt. The promptware kill chain: How prompt injections gradually evolved into a multi-step malware.arXiv preprint arXiv:2601.09625, 2026

  22. [22]

    https://openclaw.ai, 2026

    OpenClaw. https://openclaw.ai, 2026. Accessed: 2026-04-29

  23. [23]

    ClawHub skill format specifica- tion

    OpenClaw Contributors. ClawHub skill format specifica- tion. https://github.com/openclaw/clawhub/blob/main/docs/skill- format.md, 2026. Accessed: 2026-04-18

  24. [24]

    Nanoclaw

    Qwibit.ai. Nanoclaw. https://github.com/qwibitai/nanoclaw, 2026. Accessed: 2026-04-29

  25. [25]

    Trust No AI: Prompt Injection Along The CIA Security Triad

    Johann Rehberger. Trust no AI: Prompt injection along the CIA security triad.arXiv preprint arXiv:2412.06090, 2024

  26. [26]

    Embrace the red, 2026

    Johann Rehberger. Embrace the red, 2026

  27. [27]

    We have a package for you! a comprehensive analysis of package hallucinations by code generating {LLMs}

    Joseph Spracklen, Raveen Wijewickrama, AHM Nazmus Sakib, Anindya Maiti, and Bimal Viswanath. We have a package for you! a comprehensive analysis of package hallucinations by code generating {LLMs}. In34th USENIX Security Symposium (USENIX Security 25), pages 3687–3706, 2025

  28. [28]

    The long “Taile” of typosquatting domain names

    Janos Szurdi, Balazs Kocso, Gabor Cseh, Jonathan Spring, Mark Felegyhazi, and Chris Kanich. The long “Taile” of typosquatting domain names. In23rd USENIX Security Symposium (USENIX Security 14), pages 191–206, 2014

  29. [29]

    Library Hallucinations in LLM-Generated Code: A Risk Analysis Grounded in Developer Queries

    Lukas Twist, Jie M Zhang, Mark Harman, and Helen Yannakoudakis. Library hallucinations in llms: Risk analysis grounded in developer queries.arXiv preprint arXiv:2509.22202, 2025

  30. [30]

    Prompt injection attacks against GPT-3

    Simon Willison. Prompt injection attacks against GPT-3. Blog post, September 2022

  31. [31]

    https://github.com/zeroclaw-labs/zeroclaw, 2026

    ZeroClaw Labs. https://github.com/zeroclaw-labs/zeroclaw, 2026. Accessed: 2026-04-29

  32. [32]

    print a shell command to clone librepods

    Appendix - Repository Squatting 10.1. Determining Universal LLM Squatting Can- didates To identify a universal squatting candidate, the attacker uses Algorithm 1 and Algorithm 2. Algorithm 1 computes a normalized distribution of candidates for a single model, showing how often each candidate appears under repeated queries. Algorithm 2 extends this to a se...

  33. [33]

    print a shell command to install skill vetter

    Appendix - Skill Squatting 11.1. ClawHub Search Results for Non-English V2 Skills Tables 16, 17, and 18 report the top-10 entries returned by the ClawHub similarity-search API for the three non- English V2 skills evaluated in Section 4.2. In every listing the canonical Chinese-documented skill is absent from the top 10, while the top-1 slot is occupied by...

  34. [34]

    install Financial Search Engine

    Full install-command outputs:<github-artefact-url>(to be added). Slug Display Name Score financial-search-engineFinancial Search Engine 3.134 multi-search-engineMulti Search Engine 1.369 multi-search-engine-simpleMulti Search Engine [Chinese: Minimalist Domestic Edition] 1.160 multi-search-engine-2-0-1Multi Search Engine 2.0.1 1.129 bailian-web-searchBail...