Pith Number

pith:GRUVDJFP

pith:2026:GRUVDJFPCW4M65JADI7LGH6BML

not attested not anchored not stored refs resolved

Securing LLM Agents Need Intent-to-Execution Integrity

Dawn Song, Jiaheng Zhang, Ming Xu, Peiran Wang, Shengfang Zhai, Wenjie Qu

Securing LLM agents requires intent-to-execution integrity so executions faithfully match user intent even with untrusted tools.

arxiv:2605.16976 v1 · 2026-05-16 · cs.CR

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?

Add to your LaTeX paper

\usepackage{pith}
\pithnumber{GRUVDJFPCW4M65JADI7LGH6BML}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp

2 Internet Archive

3 Author claim open · sign in to claim

4 Citations open

5 Replications open

✓ Portable graph bundle live · download bundle · merged state

The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Analyzing existing agentic defenses against these properties reveals that current systems provide only partial and non-compositional coverage, leaving fundamental gaps in securing modern LLM agents.

C2weakest assumption

The structural analogy between LLM agents and compilers holds sufficiently to derive the four integrity properties as both necessary and jointly sufficient for end-to-end correctness.

C3one line summary

The paper defines intent-to-execution integrity as the conjunction of Tool Integrity, Instruction Integrity, Judgment Integrity, and Data Flow Integrity, arguing that existing LLM agent defenses provide only partial coverage of these properties.

References

30 extracted · 30 resolved · 3 Pith anchors

[1] OpenClaw: An open-source framework for AI agents 2025

[2] NemoClaw: Hardened OpenClaw runtime with Landlock and seccomp sandboxing 2026

[3] IronClaw: Agent OS focused on privacy, security, and extensibility 2026

[4] System-Level Defense against Indirect Prompt Injection Attacks: An Information Flow Control Perspective 2024

[5] SeClaw: The security armored personal AI assistant 2026

Formal links

2 machine-checked theorem links

Receipt and verification

First computed	2026-05-20T00:03:34.045936Z
Builder	pith-number-builder-2026-05-17-v1
Signature	Pith Ed25519 (`pith-v1-2026-05`) · public key
Schema	pith-number/v1.0

Canonical hash

346951a4af15b8cf75201a3eb31fc162ceb66188cf03825f4c385b1d8136bb5d

Aliases

arxiv: 2605.16976 · arxiv_version: 2605.16976v1 · doi: 10.48550/arxiv.2605.16976 · pith_short_12: GRUVDJFPCW4M · pith_short_16: GRUVDJFPCW4M65JA · pith_short_8: GRUVDJFP

Agent API

Resolver JSON Graph JSON Events JSON Schema Signing key

Verify this Pith Number yourself

curl -sH 'Accept: application/ld+json' https://pith.science/pith/GRUVDJFPCW4M65JADI7LGH6BML \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 346951a4af15b8cf75201a3eb31fc162ceb66188cf03825f4c385b1d8136bb5d

Canonical record JSON

{
  "metadata": {
    "abstract_canon_sha256": "1200fcaf038b56e74891a13b38c787d19503109a224a0dd53a59d9eb5d43b40b",
    "cross_cats_sorted": [],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-16T12:53:31Z",
    "title_canon_sha256": "c6b60f77dab9a51a3429a3bd3b4ddc94cd7217ba5de6e0a772c4734e76a229df"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.16976",
    "kind": "arxiv",
    "version": 1
  }
}