{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:3YF3EN5NKKNOGHNH7OSRUKOULS","short_pith_number":"pith:3YF3EN5N","schema_version":"1.0","canonical_sha256":"de0bb237ad529ae31da7fba51a29d45caa1944ea56300fbe5bd05421c00d0ca2","source":{"kind":"arxiv","id":"2605.18930","version":1},"attestation_state":"computed","paper":{"title":"OEP: Poisoning Self-Evolving LLM Agents via Locally Correct but Non-Transferable Experiences","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jie Li, Jiong Lou, Kaixiang Wang, Zhaojiacheng Zhou","submitted_at":"2026-05-18T14:08:59Z","abstract_excerpt":"Memory-augmented large language model (LLM) agents use iterative reflection and self-evolution to solve complex tasks, but these mechanisms introduce security risks. Existing agentic memory attacks require privileged access or explicit malicious content, making them detectable by advanced safety filters. This leaves a subtler attack surface underexplored: whether adversaries can induce agent to generate experiences that appear locally correct and semantically plausible yet induce harmful generalization during reflection. We find that reflective agents are vulnerable to such clean experiences, "},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2605.18930","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-18T14:08:59Z","cross_cats_sorted":["cs.AI","cs.LG"],"title_canon_sha256":"070b58dcb9187d3ed19bfceb7d563a6fc8443c1d51b05e014c7b4a575827188a","abstract_canon_sha256":"57cc8421fb5a4e9253dcb2ce01c8f95914e0aa45907204234ae4563e9ddb31b0"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T00:06:36.674003Z","signature_b64":"+8GTZkeIS9htG/oL7lKWZt97xTFZ/G+u+j8Xq4zw2sRCxTBTvRsZgTqIz3GDno4b5RX4Q3xJI+W5jL+6ZFyTBg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"de0bb237ad529ae31da7fba51a29d45caa1944ea56300fbe5bd05421c00d0ca2","last_reissued_at":"2026-05-20T00:06:36.672947Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T00:06:36.672947Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"OEP: Poisoning Self-Evolving LLM Agents via Locally Correct but Non-Transferable Experiences","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI","cs.LG"],"primary_cat":"cs.CR","authors_text":"Jie Li, Jiong Lou, Kaixiang Wang, Zhaojiacheng Zhou","submitted_at":"2026-05-18T14:08:59Z","abstract_excerpt":"Memory-augmented large language model (LLM) agents use iterative reflection and self-evolution to solve complex tasks, but these mechanisms introduce security risks. Existing agentic memory attacks require privileged access or explicit malicious content, making them detectable by advanced safety filters. This leaves a subtler attack surface underexplored: whether adversaries can induce agent to generate experiences that appear locally correct and semantically plausible yet induce harmful generalization during reflection. We find that reflective agents are vulnerable to such clean experiences, "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.18930","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.18930/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.18930","created_at":"2026-05-20T00:06:36.673101+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.18930v1","created_at":"2026-05-20T00:06:36.673101+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.18930","created_at":"2026-05-20T00:06:36.673101+00:00"},{"alias_kind":"pith_short_12","alias_value":"3YF3EN5NKKNO","created_at":"2026-05-20T00:06:36.673101+00:00"},{"alias_kind":"pith_short_16","alias_value":"3YF3EN5NKKNOGHNH","created_at":"2026-05-20T00:06:36.673101+00:00"},{"alias_kind":"pith_short_8","alias_value":"3YF3EN5N","created_at":"2026-05-20T00:06:36.673101+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS","json":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS.json","graph_json":"https://pith.science/api/pith-number/3YF3EN5NKKNOGHNH7OSRUKOULS/graph.json","events_json":"https://pith.science/api/pith-number/3YF3EN5NKKNOGHNH7OSRUKOULS/events.json","paper":"https://pith.science/paper/3YF3EN5N"},"agent_actions":{"view_html":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS","download_json":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS.json","view_paper":"https://pith.science/paper/3YF3EN5N","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.18930&json=true","fetch_graph":"https://pith.science/api/pith-number/3YF3EN5NKKNOGHNH7OSRUKOULS/graph.json","fetch_events":"https://pith.science/api/pith-number/3YF3EN5NKKNOGHNH7OSRUKOULS/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS/action/timestamp_anchor","attest_storage":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS/action/storage_attestation","attest_author":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS/action/author_attestation","sign_citation":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS/action/citation_signature","submit_replication":"https://pith.science/pith/3YF3EN5NKKNOGHNH7OSRUKOULS/action/replication_record"}},"created_at":"2026-05-20T00:06:36.673101+00:00","updated_at":"2026-05-20T00:06:36.673101+00:00"}