REVIEW 4 major objections 6 minor 68 references
DualView blocks stored and immediate prompt injection on personal AI agents by giving the agent and the human two synchronized views of the same computer environment.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-11 23:42 UTC pith:KHDDUWMZ
load-bearing objection Real systems fix for stored IPI that Dual-LLM work left open; dual views are the actual idea, 0% ASR is earned on their suite, and the hand-written trust policy is the residual risk—not a collapse of the claim. the 4 major comments →
DualView: Preventing Indirect Prompt Injection in Personal AI Agents
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Untrusted-data isolation for personal AI agents is incomplete unless it survives the path through the user's shared environment. DualView maintains an AgentView in which symbols persist across file writes, shell use, network returns, and inter-agent messages, and a HumanView that always shows original data; with tool routing and synchronization, it reduces both immediate and stored IPI attack success to zero on a 90-case benchmark while keeping PinchBench utility within a few points of the unprotected baseline, without changing the agent's tool-call logic.
What carries the argument
The dual-view environment: each channel (file system, shell, network, inter-agent) has an AgentView that keeps untrusted data as opaque symbols and a HumanView that preserves original data, with tool routing and Git-based synchronization keeping the two views consistent.
Load-bearing premise
The defense assumes the hand-written data-trust policy correctly labels every tool field that can carry attacker text; a field wrongly marked trusted reopens a path for stored injection.
What would settle it
An attack in which untrusted content is written through a tool field the policy marks trusted, then later read back by the agent and successfully steers a harmful tool call, would falsify the zero attack-success claim.
If this is right
- Stored IPI, left open by Dual-LLM defenses that only track symbols inside the agent context, can be closed by design without filling user files with unreadable symbols.
- Personal agents can keep full file, shell, and network access while still guaranteeing that attacker text never reaches the tool-calling model as plain text.
- A defense that works through tool hooks alone can be deployed on existing agent runtimes without model or tool rewrites.
- Human-facing deliverables remain free of symbols, so non-agent programs and remote endpoints continue to work as before.
- Protection is template-independent because isolation is structural, not classifier-based.
Where Pith is reading between the lines
- The same two-view pattern could apply to cloud-synced workspaces if remote services preserved agent-facing symbols and resolved them only for human-facing reads.
- Hand-written trust schemas for every tool will become a maintenance bottleneck as agents gain custom tools; automatic routing and field classification from tool specs is a natural next step.
- Symbol-level tracking also gives a foundation for confidentiality policies (symbolizing secrets so they cannot leave) rather than only integrity against injection.
- Token overhead from the quarantined LLM may limit cost-sensitive deployments unless cheaper summarizers, caching, or batching are used.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. DualView addresses stored indirect prompt injection (IPI) in personal AI agents that act on the user's real environment. Prior Dual-LLM defenses replace untrusted data with opaque symbols inside the agent context, but resolve those symbols when data is written out, so a later read can reintroduce attacker text as trusted content. DualView maintains two synchronized views of each channel (file system, shell, network, inter-agent): AgentView keeps untrusted data as symbols across write-then-read, while HumanView preserves original data for humans and non-agent programs. Tool calls are routed by need for original data; a hand-written data-trust policy decides what to symbolize; a data-usage policy gates execution of untrusted content as code. Implemented as an OpenClaw plugin via tool hooks only, DualView reports 0% attack success on a 90-case custom IPI suite (immediate and stored) across two Claude models, and PinchBench utility within about 6.4 points of unprotected OpenClaw, with human-facing outputs free of symbols.
Significance. The problem is timely and practically important: local personal agents with file, shell, and network access make stored IPI a first-class threat that context-only Dual-LLM designs do not close. The dual-view design is a clear conceptual contribution that simultaneously targets security, agent utility, and human utility—three goals prior Dual-LLM variants trade off against each other (Table 1). Strengths include a deployable hook-only plugin, explicit comparison to guardrails, sandboxing, and Dual LLM, transcript-level audits that attacker text never reaches T-LLM, and an open-source release commitment. If the isolation invariant holds under a correct trust policy, the work is a substantial step toward usable, environment-aware IPI defenses for personal agents.
major comments (4)
- §3.1, abstract, and §3.8.1: The central claim that protection is 'by design' and 'not limited to known attack templates' rests on the invariant that untrusted data reaches T-LLM only as symbols. That invariant holds only if the data-trust policy correctly labels every remote-derived field. The policy is a hand-written set of schema and origin rules for 21 OpenClaw tools (Appendix B, Table 7), derived by manual inspection and not machine-checked against tool implementations or result schemas. A single misclassified trusted field (e.g., a redirect URL, structured CLI field, or status string that can carry attacker text) reopens a stored-IPI path once written and reread via Agent File System. The 0% ASR result (Table 2) therefore validates isolation for the fields exercised by the custom suite, not a general design guarantee. Please either (i) qualify the 'by design' language to 'under a co
- §4.2: Security evaluation uses a custom 90-case benchmark (3 vectors × 10 tasks × 3 goals) rather than established IPI suites (e.g., InjecAgent, AgentDojo, ASB). The paper notes that existing benchmarks do not support OpenClaw, which is fair, but the manuscript does not release enough detail on payload construction, placement, and success criteria for independent reproduction, nor does it map the 90 cases onto attack templates from prior work. Given that Dual LLM (Utility) already fails stored IPI as expected, the main empirical novelty is the stored-IPI column; that column should be stress-tested with adaptive payloads that target policy edge cases (structured tool fields marked trusted, webhook schemas, HumanShell structured output). Please expand the benchmark description (payloads, success oracles, and any adaptive attempts) and, if feasible, release the suite with the code.
- §3.8.2 and §5: The data-usage policy is described as best-effort and incomplete (command rewriting covers only listed script patterns; full untrusted-data execution would need syscall monitoring). HumanShell deliberately desymbolizes for utility. This is an honest tradeoff, but it sits uneasily next to the strong isolation claim: once the agent chooses to place a symbol into an executable position and the user approves (or a pattern is missed), attacker-controlled content runs with the user's privileges. Table 4 shows almost no review events on PinchBench, which is good for usability but does not stress malicious executable patterns. Please state more clearly in the security goals which properties are deterministic (symbol isolation from T-LLM tool decisions) versus best-effort (execution of desymbolized content), and add at least a small adversarial evaluation of the executable-command
- §4.3 / Table 2: Utility is measured once per defense and model (147 PinchBench tasks) due to API cost. Token overhead is large (48.2% Haiku, 93.4% Sonnet), and Sonnet failures cluster on repeated U-LLM/HumanShell retries (Table 3). A single run leaves variance unreported for utility, while security reports mean±std over three runs. Given that DualView's practicality claim depends on staying close to baseline utility, please either report multi-run utility (even on a stratified subset) or provide confidence intervals / bootstrap over tasks, and discuss whether the Sonnet overhead pattern is inherent to symbol opacity or prompt/tool design that can be improved.
minor comments (6)
- Figure 3 and the numbered path labels (black/green/orange) are dense; a short walkthrough in the caption matching the WebSearch/file examples in Figures 4–5 would help readers.
- §3.5: Git worktree + workspace-scoped locks and conflict log are reasonable, but concurrency with non-agent programs that bypass Git (direct writes) is only sketched. A sentence on failure modes when the human edits a symbolized line mid-sync would help.
- Table 1 footnote symbols (†, ‡, ∗) are useful; ensure the Dual LLM (Security) row is clearly labeled as a hypothetical design point rather than an evaluated system, if that is the intent.
- §4.1: Clarify whether Llama Prompt Guard 2 and LlamaFirewall were applied only to tool results/calls or also to stored file content on re-read; that affects the stored-IPI comparison with DualView.
- Typos / polish: 'Data Usage Check' vs 'data usage policy' naming is slightly inconsistent across figures; arXiv line 'arXiv:2607.03821v1 [cs.CR] 4 Jul 2026' looks like a future date—verify metadata.
- §3.7: Inter-agent trust marking is user-configured; a brief example of mis-marking a public-channel agent as trusted would illustrate residual risk without expanding scope.
Circularity Check
No significant circularity; DualView is an engineering system whose isolation claim and 0% ASR rest on design plus empirical measurement, not on self-referential definitions or fitted quantities renamed as predictions.
full rationale
The paper presents a systems design (AgentView/HumanView routing, Git-worktree synchronization, data-trust and data-usage policies) that extends the Dual-LLM symbol isolation invariant into the user's environment. Security is argued by construction from the prior Dual-LLM invariant (cited to FIDES and f-secure LLM, not solely self-work) plus the new environment-level tracking; the 0% ASR and PinchBench utility numbers are measured against an unprotected OpenClaw baseline and other defenses on a fixed 90-case suite and 147-task benchmark. There is no equation or derivation in which a claimed prediction reduces to a fitted input, no uniqueness theorem imported from the authors' own prior work to force the design, and no renaming of a known empirical pattern as a first-principles result. The self-citation to the authors' earlier PFI paper is ordinary background for the Dual-LLM pattern and is not load-bearing for the novel DualView claims. The hand-written data-trust policy is a correctness assumption (any misclassified field could re-open a path), but that is orthogonal to circularity: the paper does not define the policy in terms of the evaluation outcomes or treat the evaluation as a derivation of the policy. The work is therefore self-contained against its stated benchmarks with no circular reduction.
Axiom & Free-Parameter Ledger
axioms (4)
- domain assumption Untrusted data represented only as opaque symbols cannot influence the privileged LLM's tool-call decisions (Dual-LLM isolation invariant).
- domain assumption The user and the agent runtime/tools are trusted; the adversary controls only remote data delivered through network, email, webhooks, or untrusted agents.
- ad hoc to paper The hand-written data-trust policy (schema + origin rules for 21 OpenClaw tools) correctly labels every field that can carry attacker-controlled text.
- ad hoc to paper Git worktree synchronization plus workspace-scoped locks correctly reconcile concurrent human and agent writes without silently dropping symbols or overwriting human edits.
invented entities (2)
-
AgentView / HumanView dual environment
no independent evidence
-
Agent File System (Git worktree)
no independent evidence
read the original abstract
Personal AI agents that run on the user's local machine, such as OpenClaw, automate daily tasks including web search, email, and file management. Their access to computer resources, including the network, file system, and shell, exposes them to indirect prompt injection (IPI) attacks. Prior Dual LLM defenses block IPI by replacing untrusted data with symbols that the agent can reference but not read. However, they track untrusted data only inside the agent's context, so when the agent saves and later rereads untrusted data, that data, possibly an attacker's prompt, can return as trusted data rather than as a symbol, which we call stored IPI. Operating on the user's real environment, which humans and programs share, is what makes agents like OpenClaw practical, and is exactly why a defense that ignores it is incomplete. Preserving symbols in such an environment is hard, because humans and programs need original data. We present DualView, which extends untrusted data tracking from the agent's context to the user's environment, including the file system, shell, network, and other agents, by giving each channel two views. In AgentView, the agent sees untrusted data as symbols even after writing it out and reading it back, blocking stored IPI, while HumanView preserves original data for humans and tools. DualView routes each tool call to the right view and synchronizes data across the two views. DualView deploys as an OpenClaw plugin using only tool hooks, without changing the agent's tool-call logic or tool implementations. Since DualView isolates untrusted data by design, its protection is not limited to known attack templates. In our evaluation on an IPI benchmark and PinchBench, DualView blocked every IPI attack, including stored IPI, while keeping utility close to the unprotected baseline.
Figures
Reference graph
Works this paper leans on
-
[1]
React: Synergizing reasoning and acting in language models,
S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,” in International Conference on Learning Representations (ICLR), 2023
2023
-
[2]
Toolformer: Language models can teach themselves to use tools,
T. Schick, J. Dwivedi-Yu, R. Dessì, R. Raileanu, M. Lomeli, E. Ham- bro, L. Zettlemoyer, N. Cancedda, and T. Scialom, “Toolformer: Language models can teach themselves to use tools,” inAnnual Conference on Neural Information Processing Systems (NeurIPS), 2023
2023
-
[3]
Chatgpt plugins,
OpenAI, “Chatgpt plugins,” 2024, https://openai.com/index/chatgpt- plugins/ (accessed 27, August, 2025)
2024
-
[4]
What is microsoft 365 copilot?
Microsoft, “What is microsoft 365 copilot?” 2024, https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft- 365-copilot-overview (accessed 27, August, 2025)
2024
-
[5]
Model context protocol,
Model Context Protocol, “Model context protocol,” 2025, https:// modelcontextprotocol.io/
2025
-
[6]
OpenClaw,
OpenClaw, “OpenClaw,” 2026, https://openclaw.ai/
2026
-
[7]
Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,
K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz, “Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection,” inAISec Workshop, 2023
2023
-
[8]
Formalizing and benchmarking prompt injection attacks and defenses,
Y . Liu, Y . Jia, R. Geng, J. Jia, and N. Z. Gong, “Formalizing and benchmarking prompt injection attacks and defenses,” in33rd USENIX Security Symposium. USENIX Association, 2024
2024
-
[9]
InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,
Q. Zhan, Z. Liang, Z. Ying, and D. Kang, “InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents,” inFindings of the Association for Computational Linguistics: ACL 2024. Bangkok, Thailand: Association for Computational Linguistics, 2024, pp. 10 471–10 506. [Online]. Available: https://aclanthology.org/2024.findi...
2024
-
[10]
The dual llm pattern for building ai assistants that can resist prompt injection,
S. Willison, “The dual llm pattern for building ai assistants that can resist prompt injection,” 2023, https://simonwillison.net/2023/Apr/25/ dual-llm-pattern/
2023
-
[11]
Prompt flow integrity to prevent privilege escalation in llm agents,
J. Kim, W. Choi, and B. Lee, “Prompt flow integrity to prevent privilege escalation in llm agents,”arXiv preprint arXiv:2503.15547, 2025
Pith/arXiv arXiv 2025
-
[12]
Defeating prompt injections by design,
E. Debenedetti, I. Shumailov, T. Fan, J. Hayes, N. Carlini, D. Fabian, C. Kern, C. Shi, A. Terzis, and F. Tramèr, “Defeating prompt injections by design,”arXiv preprint arXiv:2503.18813, 2025
Pith/arXiv arXiv 2025
-
[13]
Securing ai agents with information-flow control,
M. Costa, B. Köpf, A. Kolluri, A. Paverd, M. Russinovich, A. Salem, S. Tople, L. Wutschitz, and S. Zanella-Béguelin, “Securing ai agents with information-flow control,”arXiv preprint arXiv:2505.23643, 2025
Pith/arXiv arXiv 2025
-
[14]
PinchBench,
PinchBench, “PinchBench,” 2026, https://pinchbench.com/
2026
-
[15]
Demystifying RCE vulnerabilities in LLM-integrated apps,
T. Liu, Z. Deng, G. Meng, Y . Li, and K. Chen, “Demystifying RCE vulnerabilities in LLM-integrated apps,” inProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024
2024
-
[16]
Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,
H. Zhang, J. Huang, K. Mei, Y . Yao, Z. Wang, C. Zhan, H. Wang, and Y . Zhang, “Agent security bench (ASB): Formalizing and benchmarking attacks and defenses in LLM-based agents,” in13th International Conference on Learning Representations, ICLR 2025. Singapore: International Conference on Learning Representations, 2025. [Online]. Available: https://proce...
2025
-
[17]
AGENTVIGIL: Automatic black- box red-teaming for indirect prompt injection against LLM agents,
Z. Wang, V . Siu, Z. Ye, T. Shi, Y . Nie, X. Zhao, C. Wang, W. Guo, and D. Song, “AGENTVIGIL: Automatic black- box red-teaming for indirect prompt injection against LLM agents,” inFindings of the Association for Computational Linguistics: EMNLP 2025. Suzhou, China: Association for Computational Linguistics, 2025, pp. 23 159–23 172. [Online]. Available: ht...
2025
-
[18]
Benchmarking and defending against indirect prompt injection attacks on large language models,
J. Yi, Y . Xie, B. Zhu, K. Hines, E. Kiciman, G. Sun, X. Xie, and F. Wu, “Benchmarking and defending against indirect prompt injection attacks on large language models,” inProceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining. ACM, 2025. [Online]. Available: https://arxiv.org/abs/2312.14197
Pith/arXiv arXiv 2025
-
[19]
AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,
E. Debenedetti, J. Zhang, M. Balunovic, L. Beurer-Kellner, M. Fischer, and F. Tramèr, “AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents,” inAnnual 14 Conference on Neural Information Processing Systems (NeurIPS) Datasets and Benchmarks Track, 2024
2024
-
[20]
Overcoming the retrieval barrier: Indirect prompt injection in the wild for LLM systems,
H. Chang, E. Bao, X. Luo, and T. Yu, “Overcoming the retrieval barrier: Indirect prompt injection in the wild for LLM systems,” in35th USENIX Security Symposium. USENIX Association, 2026. [Online]. Available: https://www.usenix.org/ conference/usenixsecurity26/presentation/chang
2026
-
[21]
ObliInjection: Order-oblivious prompt injection attack to LLM agents with multi-source data,
R. Wang, Y . Jia, and N. Z. Gong, “ObliInjection: Order-oblivious prompt injection attack to LLM agents with multi-source data,” in Network and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/obliinjection-order-oblivious- prompt-injection-attack-to-llm...
2026
-
[22]
Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered LLM agents,
Z. Li, J. Cui, X. Liao, and L. Xing, “Les dissonances: Cross-tool harvesting and polluting in pool-of-tools empowered LLM agents,” in Network and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https: //www.ndss-symposium.org/ndss-paper/les-dissonances-cross-tool- harvesting-and-polluting-in-poo...
2026
-
[23]
Prompt injection attack to tool selection in LLM agents,
J. Shi, Z. Yuan, G. Tie, P. Zhou, N. Z. Gong, and L. Sun, “Prompt injection attack to tool selection in LLM agents,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society,
2026
-
[24]
Available: https://www.ndss-symposium.org/ndss- paper/prompt-injection-attack-to-tool-selection-in-llm-agents/
[Online]. Available: https://www.ndss-symposium.org/ndss- paper/prompt-injection-attack-to-tool-selection-in-llm-agents/
-
[25]
SpAIware: Uncovering a novel artificial intelligence attack vector through persistent memory in LLM applications and agents,
M. Herrador and J. Rehberger, “SpAIware: Uncovering a novel artificial intelligence attack vector through persistent memory in LLM applications and agents,”Future Generation Computer Systems, vol. 174, p. 107994, 2026. [Online]. Available: https: //www.sciencedirect.com/science/article/pii/S0167739X25002894
2026
-
[26]
Memory injection attacks on LLM agents via query-only interaction,
S. Dong, S. Xu, P. He, Y . Li, J. Tang, T. Liu, H. Liu, and Z. Xiang, “Memory injection attacks on LLM agents via query-only interaction,” inICLR 2026 Workshop on Memory for LLM-Based Agentic Systems (MemAgents), 2026. [Online]. Available: https://openreview.net/forum?id=i7J62t2wtV
2026
-
[28]
Available: https://arxiv.org/abs/2410.07283
[Online]. Available: https://arxiv.org/abs/2410.07283
-
[29]
AirGapAgent: Protecting privacy-conscious conversational agents,
E. Bagdasarian, R. Yi, S. Ghalebikesabi, P. Kairouz, M. Gruteser, S. Oh, B. Balle, and D. Ramage, “AirGapAgent: Protecting privacy-conscious conversational agents,” inProceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024. [Online]. Available: https://dl.acm.org/doi/10.1145/3658644.3690350
-
[30]
F. Wu, E. Cecchetti, and C. Xiao, “System-level defense against indi- rect prompt injection attacks: An information flow control perspective,” arXiv preprint arXiv:2409.19091, 2024
Pith/arXiv arXiv 2024
-
[31]
ACE: A security architecture for LLM-integrated app systems,
E. Li, T. Mallick, E. Rose, W. Robertson, A. Oprea, and C. Nita-Rotaru, “ACE: A security architecture for LLM-integrated app systems,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/ace- a-security-architecture-for-llm-integrated-app-systems/
2026
-
[32]
Ignore previous prompt: Attack techniques for language models,
F. Perez and I. Ribeiro, “Ignore previous prompt: Attack techniques for language models,”arXiv preprint arXiv:2211.09527, 2022. [Online]. Available: https://arxiv.org/abs/2211.09527
Pith/arXiv arXiv 2022
-
[33]
Jailbroken: How does LLM safety training fail?
A. Wei, N. Haghtalab, and J. Steinhardt, “Jailbroken: How does LLM safety training fail?”arXiv preprint arXiv:2307.02483, 2023. [Online]. Available: https://arxiv.org/abs/2307.02483
Pith/arXiv arXiv 2023
-
[34]
Universal and transferable adversarial attacks on aligned language models,
A. Zou, Z. Wang, N. Carlini, M. Nasr, J. Z. Kolter, and M. Fredrikson, “Universal and transferable adversarial attacks on aligned language models,”arXiv preprint arXiv:2307.15043, 2023. [Online]. Available: https://arxiv.org/abs/2307.15043
Pith/arXiv arXiv 2023
-
[35]
The instruction hierarchy: Training LLMs to prioritize privileged instructions,
E. Wallace, K. Xiao, R. Leike, L. Weng, J. Heidecke, and A. Beutel, “The instruction hierarchy: Training LLMs to prioritize privileged instructions,”arXiv preprint arXiv:2404.13208, 2024
Pith/arXiv arXiv 2024
-
[36]
StruQ: Defending against prompt injection with structured queries,
S. Chen, J. Piet, C. Sitawarin, and D. Wagner, “StruQ: Defending against prompt injection with structured queries,” in34th USENIX Security Symposium. USENIX Association, 2025. [Online]. Available: https://arxiv.org/abs/2402.06363
Pith/arXiv arXiv 2025
-
[37]
SecAlign: Defending against prompt injection with preference optimization,
S. Chen, A. Zharmagambetov, S. Mahloujifar, K. Chaudhuri, D. Wagner, and C. Guo, “SecAlign: Defending against prompt injection with preference optimization,” inProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2025. [Online]. Available: https://dl.acm.org/doi/10. 1145/3719027.3744836
arXiv 2025
-
[38]
Llama Prompt Guard 2,
Meta AI, “Llama Prompt Guard 2,” 2025, https://huggingface.co/meta- llama/Llama-Prompt-Guard-2-86M
2025
-
[39]
LlamaFirewall: An open source guardrail system for building secure AI agents,
S. Chennabasappa, C. Nikolaidis, D. Song, D. Molnar, S. Ding, S. Wan, S. Whitman, L. Deason, N. Doucette, A. Montilla, A. Gampa, B. de Paola, D. Gabi, J. Crnkovich, J.-C. Testud, K. He, R. Chaturvedi, W. Zhou, and J. Saxe, “LlamaFirewall: An open source guardrail system for building secure AI agents,”arXiv preprint arXiv:2505.03574, 2025, https://github.c...
Pith/arXiv arXiv 2025
-
[40]
DataSentinel: A game-theoretic detection of prompt injection attacks,
Y . Liu, Y . Jia, J. Jia, D. Song, and N. Z. Gong, “DataSentinel: A game-theoretic detection of prompt injection attacks,” inIEEE Symposium on Security and Privacy. IEEE, 2025. [Online]. Available: https://arxiv.org/abs/2504.11358
arXiv 2025
-
[41]
Defending against indirect prompt injection attacks with spotlighting,
K. Hines, G. Lopez, M. Hall, F. Zarfati, Y . Zunger, and E. Kiciman, “Defending against indirect prompt injection attacks with spotlighting,” arXiv preprint arXiv:2403.14720, 2024
Pith/arXiv arXiv 2024
-
[42]
Attention is all you need to defend against indirect prompt injection attacks in LLMs,
Y . Zhong, Q. Miao, Y . Chen, J. Deng, Y . Cheng, and W. Xu, “Attention is all you need to defend against indirect prompt injection attacks in LLMs,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/attention-is-all-you- need-to-defend-again...
2026
-
[43]
MELON: Provable defense against indirect prompt injection attacks in AI agents,
K. Zhu, X. Yang, J. Wang, W. Guo, and W. Y . Wang, “MELON: Provable defense against indirect prompt injection attacks in AI agents,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2502.05174
Pith/arXiv arXiv 2025
-
[44]
The task shield: Enforcing task alignment to defend against indirect prompt injection in LLM agents,
F. Jia, T. Wu, X. Qin, and A. Squicciarini, “The task shield: Enforcing task alignment to defend against indirect prompt injection in LLM agents,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). Association for Computational Linguistics, 2025. [Online]. Available: https://aclanthology.org/...
2025
-
[45]
DRIFT: Dynamic rule-based defense with injection isolation for securing LLM agents,
H. Li, X. Liu, H.-C. Chiu, D. Li, N. Zhang, and C. Xiao, “DRIFT: Dynamic rule-based defense with injection isolation for securing LLM agents,” inAnnual Conference on Neural Information Processing Systems (NeurIPS), 2025. [Online]. Available: https://arxiv.org/abs/2506.12104
arXiv 2025
-
[46]
ShieldAgent: Shielding agents via verifiable safety policy reasoning,
Z. Chen, M. Kang, and B. Li, “ShieldAgent: Shielding agents via verifiable safety policy reasoning,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2503.22738
arXiv 2025
-
[47]
GuardAgent: Safeguard LLM agents by a guard agent via knowledge- enabled reasoning,
Z. Xiang, L. Zheng, Y . Li, J. Hong, Q. Li, H. Xie, J. Zhang, Z. Xiong, C. Xie, C. Yang, D. Song, and B. Li, “GuardAgent: Safeguard LLM agents by a guard agent via knowledge- enabled reasoning,” inProceedings of the 42nd International Conference on Machine Learning. PMLR, 2025. [Online]. Available: https://arxiv.org/abs/2406.09187
Pith/arXiv arXiv 2025
-
[48]
AgentSpec: Customizable runtime enforcement for safe and reliable LLM agents,
H. Wang, C. M. Poskitt, and J. Sun, “AgentSpec: Customizable runtime enforcement for safe and reliable LLM agents,” in Proceedings of the 48th IEEE/ACM International Conference on Software Engineering. ACM, 2026. [Online]. Available: https://arxiv.org/abs/2503.18666
Pith/arXiv arXiv 2026
-
[49]
RTBAS: Defending LLM agents against prompt injection and privacy leakage,
P. Y . Zhong, S. Chen, R. Wang, M. McCall, B. L. Titzer, H. Miller, and P. B. Gibbons, “RTBAS: Defending LLM agents against prompt injection and privacy leakage,”arXiv preprint arXiv:2502.08966, 2025
Pith/arXiv arXiv 2025
-
[50]
Permissive information-flow analysis for large language models,
S. A. Siddiqui, R. Gaonkar, B. Köpf, D. Krueger, A. Paverd, A. Salem, S. Tople, L. Wutschitz, M. Xia, and S. Zanella-Béguelin, “Permissive information-flow analysis for large language models,”arXiv preprint arXiv:2410.03055, 2024
arXiv 2024
-
[51]
Optimization-based prompt injection attack to LLM-as-a-judge,
J. Shi, Z. Yuan, Y . Liu, Y . Huang, P. Zhou, L. Sun, and N. Z. Gong, “Optimization-based prompt injection attack to LLM-as-a-judge,” in Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2024
2024
-
[52]
OpenShell: A safe, private runtime for autonomous AI agents,
NVIDIA, “OpenShell: A safe, private runtime for autonomous AI agents,” 2026, https://github.com/NVIDIA/OpenShell
2026
-
[53]
Webhooks,
OpenClaw, “Webhooks,” 2026, https://docs.openclaw.ai/cli/webhooks. 15
2026
-
[54]
Configuration,
——, “Configuration,” 2026, https://docs.openclaw.ai/gateway/ configuration (accessed 29, May, 2026)
2026
-
[55]
Git Project,git-worktree Documentation, 2026, https://git-scm.com/ docs/git-worktree (accessed 28, May, 2026)
2026
-
[56]
gws: Google Workspace CLI,
Google Workspace, “gws: Google Workspace CLI,” 2026, https:// github.com/googleworkspace/cli (accessed 5, June, 2026)
2026
-
[57]
GitHub CLI,
GitHub, “GitHub CLI,” 2026, https://cli.github.com/ (accessed 5, June, 2026)
2026
-
[58]
Imprompter: Tricking LLM agents into improper tool use,
X. Fu, S. Li, Z. Wang, Y . Liu, R. K. Gupta, T. Berg-Kirkpatrick, and E. Fernandes, “Imprompter: Tricking LLM agents into improper tool use,”arXiv preprint arXiv:2410.14923, 2024. [Online]. Available: https://arxiv.org/abs/2410.14923
Pith/arXiv arXiv 2024
-
[59]
Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,
M. Russinovich, A. Salem, and R. Eldan, “Great, now write an article about that: The crescendo multi-turn LLM jailbreak attack,” in34th USENIX Security Symposium. USENIX Association, 2025
2025
-
[60]
PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models,
W. Zou, R. Geng, B. Wang, and J. Jia, “PoisonedRAG: Knowledge corruption attacks to retrieval-augmented generation of large language models,” in34th USENIX Security Symposium. USENIX Association, 2025
2025
-
[61]
An execution isolation architecture for LLM-based agentic systems,
Y . Wu, F. Roesner, T. Kohno, N. Zhang, and U. Iqbal, “An execution isolation architecture for LLM-based agentic systems,” inNetwork and Distributed System Security Symposium 2025. San Diego, CA, USA: Internet Society, 2025. [Online]. Available: https://arxiv.org/abs/2403.04960
Pith/arXiv arXiv 2025
-
[62]
Optimizing agent planning for security and autonomy,
A. Kolluri, R. Sharma, M. Costa, B. Köpf, T. Nießen, M. Russinovich, S. Tople, and S. Zanella-Béguelin, “Optimizing agent planning for security and autonomy,” inInternational Conference on Learning Representations (ICLR), 2026
2026
-
[63]
Progent: Programmable privilege control for LLM agents,
T. Shi, J. He, Z. Wang, H. Li, L. Wu, W. Guo, and D. Song, “Progent: Programmable privilege control for LLM agents,”arXiv preprint arXiv:2504.11703, 2025
Pith/arXiv arXiv 2025
-
[64]
Conseca: Contextual agent security: A policy for every purpose,
L. Tsai and E. Bagdasarian, “Conseca: Contextual agent security: A policy for every purpose,” inProceedings of the 20th Workshop on Hot Topics in Operating Systems. ACM, 2025. [Online]. Available: https://arxiv.org/abs/2501.17070
Pith/arXiv arXiv 2025
-
[65]
SAGA: A security architecture for governing AI agentic systems,
G. Syros, A. Suri, J. Ginesin, C. Nita-Rotaru, and A. Oprea, “SAGA: A security architecture for governing AI agentic systems,” inNetwork and Distributed System Security Symposium 2026. San Diego, CA, USA: Internet Society, 2026
2026
-
[66]
Claude Code hooks reference,
Anthropic, “Claude Code hooks reference,” 2026, https://code.claude. com/docs/en/hooks#hooks-reference (accessed 11, June, 2026)
2026
-
[67]
Hermes Agent: Hooks,
Nous Research, “Hermes Agent: Hooks,” 2026, https://hermes-agent. nousresearch.com/docs/user-guide/features/hooks (accessed 11, June, 2026)
2026
-
[68]
Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,
F. Liu, Y . Zhang, J. Luo, J. Dai, T. Chen, L. Yuan, Z. Yu, Y . Shi, K. Li, C. Zhouet al., “Make agent defeat agent: Automatic detection of Taint-Style vulnerabilities in LLM-based agents,” in34th USENIX Security Symposium. USENIX Association, 2025, pp. 3767–3786. Appendix A. Implementation DUALVIEW is implemented as an OpenClaw plugin, based on OpenClaw ...
2025
-
[69]
Quarterly report
https://github.com/compsec-snu/dualview /home/user/apple/banana/workspace ordinary workspace filesHumanView files .git/ordinary Git, optional ~/.dualview/workspaces/DUALVIEWfile-system management %2Fhome%2Fuser%2Fapple%2Fbanana/encoded workspace path repo.git/DUALVIEWGit agentview/Agent File Systemfor the workspace conflicts.logsync conflict log Figure 8:...
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.