pith. sign in
Pith Number

pith:XFUQC4S5

pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV
not attested not anchored not stored refs resolved

Prompt Injection Attack to Tool Selection in LLM Agents

Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan

ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.

arxiv:2504.19793 v3 · 2025-04-28 · cs.CR

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{XFUQC4S5LY3RKMXHWPBCZ56YKV}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.

C2weakest assumption

The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.

C3one line summary

ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.

References

89 extracted · 89 resolved · 21 Pith anchors

[1] Mind2web: Towards a generalist agent for the web, 2024
[2] A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis 2023 · arXiv:2307.12856
[3] SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering 2024 · arXiv:2405.15793
[4] MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework 2023 · arXiv:2308.00352
[5] Gorilla: Large Language Model Connected with Massive APIs 2023 · arXiv:2305.15334

Formal links

1 machine-checked theorem link

Cited by

20 papers in Pith

VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers
Model-Adaptive Tool Necessity Reveals the Knowing-Doing Gap in LLM Tool Use
Your LLM Agents are Temporally Blind: The Misalignment Between Tool Use Decisions and Human Time Perception
Security Considerations for Multi-agent Systems
Model-Adaptive Tool Necessity Reveals the Knowing-Doing Gap in LLM Tool Use
Receipt and verification
First computed 2026-05-17T23:38:47.172959Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3

Aliases

arxiv: 2504.19793 · arxiv_version: 2504.19793v3 · doi: 10.48550/arxiv.2504.19793 · pith_short_12: XFUQC4S5LY3R · pith_short_16: XFUQC4S5LY3RKMXH · pith_short_8: XFUQC4S5
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e",
    "cross_cats_sorted": [],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2025-04-28T13:36:43Z",
    "title_canon_sha256": "6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2504.19793",
    "kind": "arxiv",
    "version": 3
  }
}