{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:V5YKBCGKHSYJRXSER3HFVZB55K","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"c81c07bedf63de0137914aca496fd65e9af44d2f7ab18130ef71f57527fb2f20","cross_cats_sorted":[],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-18T20:31:08Z","title_canon_sha256":"603684eab5e93194c3087f7fcf5726d755410850c93c8e3a693c842342881aaa"},"schema_version":"1.0","source":{"id":"2606.20922","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2606.20922","created_at":"2026-06-23T01:12:22Z"},{"alias_kind":"arxiv_version","alias_value":"2606.20922v1","created_at":"2026-06-23T01:12:22Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2606.20922","created_at":"2026-06-23T01:12:22Z"},{"alias_kind":"pith_short_12","alias_value":"V5YKBCGKHSYJ","created_at":"2026-06-23T01:12:22Z"},{"alias_kind":"pith_short_16","alias_value":"V5YKBCGKHSYJRXSE","created_at":"2026-06-23T01:12:22Z"},{"alias_kind":"pith_short_8","alias_value":"V5YKBCGK","created_at":"2026-06-23T01:12:22Z"}],"graph_snapshots":[{"event_id":"sha256:4c6d4dc77f9c4576888b20d78c1dcd71c1c924e477f0b8b8536ae26ba7146aca","target":"graph","created_at":"2026-06-23T01:12:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2606.20922/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"The integration of external tools has substantially expanded the capabilities of large language model (LLM) agents, but it also introduces new attack surfaces beyond prompt injection. In particular, cross-tool description poisoning can manipulate planner-visible tool metadata to steer an agent's trajectory, even if the poisoned tool itself is never chosen. To understand the effectiveness of existing defenses against this emerging threat, we first evaluate several prompt-injection defenses and find that they transfer poorly to cross-tool description poisoning. A key observation is that poisoned","authors_text":"Chaoyu Zhang, Chongjie Zhang, Hao Li, Ning Zhang, Shanghao Shi, Thomas Hou, Wenjing Lou, Xiao Wang, Yevgeniy Vorobeychik","cross_cats":[],"headline":"","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-18T20:31:08Z","title":"Think Twice Before You Act: Protecting LLM Agents Against Tool Description Poisoning via Isolated Planning"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2606.20922","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:8adb0792e8d7a4507c374a70d59acd530f744416e411b928c1fd526aadbf829e","target":"record","created_at":"2026-06-23T01:12:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"c81c07bedf63de0137914aca496fd65e9af44d2f7ab18130ef71f57527fb2f20","cross_cats_sorted":[],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-06-18T20:31:08Z","title_canon_sha256":"603684eab5e93194c3087f7fcf5726d755410850c93c8e3a693c842342881aaa"},"schema_version":"1.0","source":{"id":"2606.20922","kind":"arxiv","version":1}},"canonical_sha256":"af70a088ca3cb098de448ece5ae43deab736ab37bd0bc2d54100062b93c714c3","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"af70a088ca3cb098de448ece5ae43deab736ab37bd0bc2d54100062b93c714c3","first_computed_at":"2026-06-23T01:12:22.121714Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-23T01:12:22.121714Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"WuZrsIwG6gka6DBpKdN9trDC9Zdl3/kX4/YrodDI6S8NDiX9jPFNk6vdfxNpx18DHMO2oQVNMewJp1CiRKFtCg==","signature_status":"signed_v1","signed_at":"2026-06-23T01:12:22.122087Z","signed_message":"canonical_sha256_bytes"},"source_id":"2606.20922","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:8adb0792e8d7a4507c374a70d59acd530f744416e411b928c1fd526aadbf829e","sha256:4c6d4dc77f9c4576888b20d78c1dcd71c1c924e477f0b8b8536ae26ba7146aca"],"state_sha256":"e41e7bd9a57e712ffe7da0d18d7ef626d92369cd34c18cb01c6f5570c12ca1b7"}