pith. sign in
Pith Number

pith:DLHZDBPJ

pith:2026:DLHZDBPJQMVNAVEFDQDPXBHAG3
not attested not anchored not stored refs resolved

ASPI: Seeking Ambiguity Clarification Amplifies Prompt Injection Vulnerability in LLM Agents

Dileepa Lakshan, Heming Liu, Joseph Brandifino, Max Fenkell, Udari Madhushani Sehwag, Zhengyang Shan

Seeking clarification on ambiguous tasks makes LLM agents far more vulnerable to prompt injection attacks.

arxiv:2605.17324 v1 · 2026-05-17 · cs.CR · cs.AI

Open paper page JSON Open Graph Bundle Merged state What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{DLHZDBPJQMVNAVEFDQDPXBHAG3}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Clarification-seeking consistently and substantially amplifies vulnerability. For instance, attack success rises from 1.8% to 34.0% for o3 and from 2.2% to 35.7% for Gemini-3-Flash.

C2weakest assumption

The benchmark successfully isolates the clarification-seeking state transition as the sole variable, without introducing differences in prompt formatting, tool-return handling, or user-input channel that could independently affect attack success.

C3one line summary

Clarification-seeking in LLM agents amplifies prompt injection attack success from ~2% to over 30% across ten frontier models in a new 728-scenario benchmark.

References

116 extracted · 84 resolved · 10 Pith anchors

[1] ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection , author=. 2026 , eprint= 2026
[2] AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification , author=. 2026 , eprint= 2026
[3] AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations , author=. 2026 , eprint= 2026
[4] How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition , author=. 2026 , eprint= 2026
[5] Philippe Laban and Hiroaki Hayashi and Yingbo Zhou and Jennifer Neville , booktitle=. 2026 , url= 2026
Receipt and verification
First computed 2026-05-20T00:03:52.192100Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

1acf9185e9832ad054851c06fb84e036edff33e457dc26c24473000af63a61ba

Aliases

arxiv: 2605.17324 · arxiv_version: 2605.17324v1 · doi: 10.48550/arxiv.2605.17324 · pith_short_12: DLHZDBPJQMVN · pith_short_16: DLHZDBPJQMVNAVEF · pith_short_8: DLHZDBPJ
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/DLHZDBPJQMVNAVEFDQDPXBHAG3 \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 1acf9185e9832ad054851c06fb84e036edff33e457dc26c24473000af63a61ba
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "7fbf08acc6acaee9c18460ef610fa46212c3e93c5b403527c5abde91d14c46ae",
    "cross_cats_sorted": [
      "cs.AI"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-17T08:30:45Z",
    "title_canon_sha256": "e822e5c5f6bb07bb02da592b4e16bbf98372499a80adccaa7dac0640585a776a"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.17324",
    "kind": "arxiv",
    "version": 1
  }
}