pith. sign in
Pith Number

pith:PEFOSZGM

pith:2026:PEFOSZGMUAUJME6CZGAGY4BZNA
not attested not anchored not stored refs resolved

AI Agents May Always Fall for Prompt Injections

Eugene Bagdasarian, Sahar Abdelnabi

An adversary can always construct a context that makes a malicious prompt injection appear as a legitimate information flow to an AI agent.

arxiv:2605.17634 v1 · 2026-05-17 · cs.CR · cs.CL · cs.CY

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{PEFOSZGMUAUJME6CZGAGY4BZNA}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

an adversary can always construct a context under which a blocked flow appears legitimate, or a defender who tightens norms will block genuinely legitimate flows

C2weakest assumption

That the Contextual Integrity norms can be unambiguously defined and applied to AI agent information flows in a way that distinguishes legitimate from illegitimate flows without circular reference to the attacks themselves (abstract, paragraph on recasting via CI lens).

C3one line summary

Recasting prompt injection as violations of Contextual Integrity norms reveals an impossibility: adversaries can always reframe contexts to legitimize blocked flows or defenders will block legitimate ones.

References

28 extracted · 28 resolved · 0 Pith anchors

[1] Email length and realism: External content should be at least 80 words with real business context
[2] External content similarity: Attack and benign must be nearly identical in length (within 15 words), tone, and structure
[3] No obvious tells: The attack version should not be noticeably longer, more formal, more urgent, or more suspicious
[4] Diverse scenarios: Cover a wide range of professional contexts
[5] Diverse injection techniques: Vary the technique across items

Formal links

2 machine-checked theorem links

Receipt and verification
First computed 2026-05-20T00:04:49.680053Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e

Aliases

arxiv: 2605.17634 · arxiv_version: 2605.17634v1 · doi: 10.48550/arxiv.2605.17634 · pith_short_12: PEFOSZGMUAUJ · pith_short_16: PEFOSZGMUAUJME6C · pith_short_8: PEFOSZGM
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/PEFOSZGMUAUJME6CZGAGY4BZNA \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: 790ae964cca0289613c2c9806c703968147a577a9956eb045545249c7fcecd0e
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "413d9222131eeb234316a59e9182c7190dd64cd9f619e582dfb31613e1145044",
    "cross_cats_sorted": [
      "cs.CL",
      "cs.CY"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-17T19:55:39Z",
    "title_canon_sha256": "41e69e9f6da55d275114f692102a0c685f30e2d2d0245d4e50753c4129fa3e5a"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.17634",
    "kind": "arxiv",
    "version": 1
  }
}