pith. sign in

arxiv: 2605.17986 · v2 · pith:4UTPDLTYnew · submitted 2026-05-18 · 💻 cs.CR · cs.AI

LivePI: More Realistic Benchmarking of Agents Against Indirect Prompt Injection

Lei Zhao , Abhay Bhaskar , Edgar Dobriban This is my paper

Pith reviewed 2026-05-20 09:58 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords indirect prompt injectionAI agentsbenchmarkLLM securitytool usevirtual machineattack success ratedefense evaluation
0
0 comments X

The pith

A new benchmark shows AI agents succeed in indirect prompt injection attacks from emails, chats and files at rates of 10.7% to 29.6%.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces LivePI, a benchmark that tests indirect prompt injection risks for AI agents with external tool access inside a virtual machine that provides live but controlled interfaces to email, chat, web, files, repositories and wallets. It structures evaluations around seven input surfaces, twelve attack families and five malicious goals such as data exfiltration and unauthorized transfers. Results across five major models show attack success rates between 10.7% and 29.6%, with group-chat attacks succeeding uniformly and a two-layer defense blocking all tested malicious outcomes for one model while preserving normal performance. A sympathetic reader would care because agents are already being placed into workflows that routinely process untrusted external data, creating a direct path for harmful instructions to be executed.

Core claim

We introduce LivePI (Live Prompt Injection), a structured benchmark for IPI risk in a production-like but test-controlled environment. LivePI covers seven input surfaces, twelve attack/rendering families, and five malicious goals, including protected-information exfiltration, unauthorized security-control changes, unsafe code retrieval or execution, inbox-summary exfiltration, and cryptocurrency transfer. We run LivePI on a real virtual machine with live but test-controlled email, chat, web, local-file, repository, and wallet interfaces. Across GPT-5.3-Codex, Claude Opus 4.6, Gemini 3.1 Pro, Kimi K2.5, and GLM-5, total attack success rates range from 10.7% to 29.6%. Group-chat injection is<f

What carries the argument

LivePI benchmark, a structured test suite run on a live virtual machine with controlled interfaces for email, chat, web, files, repositories and wallets that measures attack success across multiple input surfaces and malicious goals.

If this is right

  • Group-chat messages produce uniform attack success across all evaluated models.
  • Repository-link attacks can trigger high-severity failures even with limited test volume.
  • A two-layer defense of prompt filtering plus pre-execution authorization blocks every tested malicious completion for GPT-5.3-Codex.
  • Benign utility on related workloads remains intact under the same defense.
  • Attack success varies by model backbone but remains material for each one tested.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Agent builders may need to treat group communication channels as a high-priority attack surface when adding tool access.
  • The defense approach could be tested on additional models to check whether the complete interception result generalizes.
  • Similar controlled-live environments might be applied to measure other agent risks such as tool misuse or data exfiltration through different channels.

Load-bearing premise

The test-controlled virtual machine with live interfaces for email, chat, web, files, repositories and wallets accurately reflects production-like indirect prompt injection risks without introducing test-specific artifacts that alter attack success rates.

What would settle it

Running the same set of attacks on a production AI agent deployment that uses real external connections instead of the test virtual machine and obtaining substantially different success rates would falsify the claim that LivePI provides a realistic measure of risk.

Figures

Figures reproduced from arXiv: 2605.17986 by Abhay Bhaskar, Edgar Dobriban, Lei Zhao.

Figure 1
Figure 1. Figure 1: Overview of the indirect prompt-injection setting and defense workflow studied in this paper. A [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
read the original abstract

AI agents such as OpenClaw are increasingly deployed in local workflows with access to external tools. This creates indirect prompt-injection (IPI) risk: an agent may execute harmful instructions embedded in untrusted inputs such as email, downloaded files, webpages, repositories, or group-chat messages. Existing evaluations are often small, purely simulated, or focused on a narrow set of channels. We introduce LivePI (Live Prompt Injection), a structured benchmark for IPI risk in a production-like but test-controlled environment. LivePI covers seven input surfaces, twelve attack/rendering families, and five malicious goals, including protected-information exfiltration, unauthorized security-control changes, unsafe code retrieval or execution, inbox-summary exfiltration, and cryptocurrency transfer. We run LivePI on a real virtual machine with live but test-controlled email, chat, web, local-file, repository, and wallet interfaces. Across GPT-5.3-Codex, Claude Opus 4.6, Gemini 3.1 Pro, Kimi K2.5, and GLM-5, total attack success rates range from 10.7% to 29.6%. Group-chat injection is uniformly successful across the evaluated backbones in our deployment, and repository-link attacks produce high-severity failures despite a small denominator. We also evaluate a two-layer defense consisting of prompt-level filtering and pre-execution tool-call authorization. In the GPT-5.3-Codex setting, the defense intercepts all tested malicious-goal completions in LivePI before execution while preserving benign utility on PinchBench-derived workloads.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces LivePI, a structured benchmark for indirect prompt injection (IPI) risks in AI agents. It evaluates agents in a live but test-controlled virtual machine environment with interfaces for email, chat, web, local files, repositories, and wallets. The benchmark spans seven input surfaces, twelve attack/rendering families, and five malicious goals (exfiltration, security changes, unsafe code, inbox summary, crypto transfer). Across five models (GPT-5.3-Codex, Claude Opus 4.6, Gemini 3.1 Pro, Kimi K2.5, GLM-5), total attack success rates range from 10.7% to 29.6%, with uniform success on group-chat injection and high-severity outcomes on repository links. A two-layer defense (prompt filtering plus pre-execution authorization) is shown to block all tested malicious completions for GPT-5.3-Codex while preserving utility on benign workloads.

Significance. If the controlled environment produces representative results, the work supplies concrete, multi-model empirical data on IPI success rates across diverse channels, advancing beyond small-scale or purely simulated prior evaluations. The direct measurement of attack success rates and the defense evaluation are strengths; the uniform group-chat finding and repository-link severity are falsifiable observations that could guide future agent design.

major comments (2)
  1. [LivePI Environment and Evaluation Setup] The central claim that LivePI delivers 'more realistic' IPI benchmarking (abstract) depends on the test-controlled VM interfaces producing attack success rates that generalize to production. The setup necessarily constrains email headers, repo responses, and tool behaviors for safety and reproducibility; if these alter model parsing or action on injected content, the 10.7–29.6% rates and group-chat uniformity become test-specific. No section validates that agent behavior on the controlled interfaces matches equivalent real services.
  2. [Defense Evaluation] The defense evaluation reports that the two-layer system 'intercepts all tested malicious-goal completions' for GPT-5.3-Codex. It is unclear whether this holds uniformly across the twelve attack families or only a subset of the five goals, and whether the pre-execution authorization mechanism itself could be bypassed by the same injection vectors.
minor comments (2)
  1. [Abstract and Evaluation] Model names such as GPT-5.3-Codex, Claude Opus 4.6, Gemini 3.1 Pro, Kimi K2.5, and GLM-5 should be clarified (exact versions, access dates, or whether they are stand-ins) to aid reproducibility.
  2. [Results] A table breaking down attack success rates by model and input surface (rather than only aggregate totals) would improve readability and allow readers to assess per-channel variation.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the constructive feedback on LivePI. We address each major comment below and have revised the manuscript to improve clarity and acknowledge limitations where appropriate.

read point-by-point responses

  1. Referee: [LivePI Environment and Evaluation Setup] The central claim that LivePI delivers 'more realistic' IPI benchmarking (abstract) depends on the test-controlled VM interfaces producing attack success rates that generalize to production. The setup necessarily constrains email headers, repo responses, and tool behaviors for safety and reproducibility; if these alter model parsing or action on injected content, the 10.7–29.6% rates and group-chat uniformity become test-specific. No section validates that agent behavior on the controlled interfaces matches equivalent real services.

    Authors: We agree that the controlled nature of the VM interfaces introduces constraints that could affect generalization, and we acknowledge this as a limitation of the current evaluation. The interfaces were deliberately constrained to ensure safety, reproducibility, and ethical compliance while preserving core behaviors such as email parsing, repository fetching, and tool invocation. We have added a new subsection under Limitations that explicitly discusses potential differences (e.g., header handling and response formatting) and their possible impact on model decisions. We also cite related work on controlled agent environments to contextualize our design choices. While we cannot perform side-by-side validation on live production services without violating safety and access policies, the uniform group-chat success and repository-link severity observations remain falsifiable and useful for guiding agent design. revision: yes

  2. Referee: [Defense Evaluation] The defense evaluation reports that the two-layer system 'intercepts all tested malicious-goal completions' for GPT-5.3-Codex. It is unclear whether this holds uniformly across the twelve attack families or only a subset of the five goals, and whether the pre-execution authorization mechanism itself could be bypassed by the same injection vectors.

    Authors: We thank the referee for highlighting this ambiguity in the original text. The two-layer defense (prompt filtering plus pre-execution authorization) was evaluated on all twelve attack/rendering families and all five malicious goals for GPT-5.3-Codex. We have revised the Defense Evaluation section to state this explicitly and added a summary table confirming uniform interception across the tested families. The pre-execution authorization layer operates on the final tool-call payload after prompt processing and is intended to be independent of the injection surface; no bypasses were observed in our experiments. We have also added a short discussion noting that more sophisticated future attacks could target the authorization policy itself and flag this as an area for subsequent adversarial evaluation. revision: yes

standing simulated objections not resolved
  • Direct empirical validation of agent behavior equivalence between the controlled VM interfaces and unmodified production services across all seven input surfaces, as such validation would require unsafe deployment on live external systems.

Circularity Check

0 steps flagged

No circularity: purely empirical benchmark with direct measurements

full rationale

The paper introduces LivePI as a structured benchmark and reports direct experimental attack success rates (10.7%–29.6%) obtained by running evaluated agents on a live but test-controlled VM with specified interfaces. No derivations, equations, fitted parameters, or predictions appear in the provided text. All central claims rest on explicit measurements across models, attack families, and goals rather than any self-referential reduction or self-citation chain. The work is therefore self-contained against external benchmarks with no load-bearing steps that collapse to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical benchmarking paper with no mathematical axioms, free parameters, or invented entities; relies on standard assumptions about test environment fidelity and model behavior.

pith-pipeline@v0.9.0 · 5812 in / 1103 out tokens · 32167 ms · 2026-05-20T09:58:44.029843+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.