{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","short_pith_number":"pith:XFUQC4S5","schema_version":"1.0","canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","source":{"kind":"arxiv","id":"2504.19793","version":3},"attestation_state":"computed","paper":{"title":"Prompt Injection Attack to Tool Selection in LLM Agents","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","submitted_at":"2025-04-28T13:36:43Z","abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2504.19793","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","cross_cats_sorted":[],"title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf","abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:47.173416Z","signature_b64":"YRlQucsaKH96yJJ/EtFrbkEIk13/2d/DK4ZFThIQGdxlx+1RqO5J1Q2T8ArloSYvs2In9bBvqS0z6ifeNYOYAA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","last_reissued_at":"2026-05-17T23:38:47.172959Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:47.172959Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Prompt Injection Attack to Tool Selection in LLM Agents","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","submitted_at":"2025-04-28T13:36:43Z","abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"d4644f54b8a411dddf834c564570e6e971847fdbbdd63616197ffd1a7c8ecd50"},"source":{"id":"2504.19793","kind":"arxiv","version":3},"verdict":{"id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T17:04:47.406337Z","strongest_claim":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","pith_extraction_headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools."},"references":{"count":89,"sample":[{"doi":"","year":2024,"title":"Mind2web: Towards a generalist agent for the web,","work_id":"c5619498-3e80-4a16-9c61-fe6255c5f11c","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis","work_id":"0915d1fc-bc46-4128-871e-f9233dca44b6","ref_index":2,"cited_arxiv_id":"2307.12856","is_internal_anchor":true},{"doi":"","year":2024,"title":"SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering","work_id":"01826cd9-a652-403c-a2ec-531da9fe2b6a","ref_index":3,"cited_arxiv_id":"2405.15793","is_internal_anchor":true},{"doi":"","year":2023,"title":"MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework","work_id":"891b9780-a800-4e3c-bba0-53597ab8dc98","ref_index":4,"cited_arxiv_id":"2308.00352","is_internal_anchor":true},{"doi":"","year":2023,"title":"Gorilla: Large Language Model Connected with Massive APIs","work_id":"126a464a-4a73-495f-b669-de1e44aa8f09","ref_index":5,"cited_arxiv_id":"2305.15334","is_internal_anchor":true}],"resolved_work":89,"snapshot_sha256":"59843b707639bdf15764d8f5bb26719a77b453508c72de5b7b5e83c9eee33449","internal_anchors":21},"formal_canon":{"evidence_count":1,"snapshot_sha256":"30024c40f4bbda28ef936fe596e5c8db2284da869bba8f9efcb713aa19151211"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2504.19793","created_at":"2026-05-17T23:38:47.173034+00:00"},{"alias_kind":"arxiv_version","alias_value":"2504.19793v3","created_at":"2026-05-17T23:38:47.173034+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.19793","created_at":"2026-05-17T23:38:47.173034+00:00"},{"alias_kind":"pith_short_12","alias_value":"XFUQC4S5LY3R","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"XFUQC4S5LY3RKMXH","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"XFUQC4S5","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":20,"internal_anchor_count":20,"sample":[{"citing_arxiv_id":"2605.21392","citing_title":"VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers","ref_index":14,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14038","citing_title":"Model-Adaptive Tool Necessity Reveals the Knowing-Doing Gap in LLM Tool Use","ref_index":27,"is_internal_anchor":true},{"citing_arxiv_id":"2510.23853","citing_title":"Your LLM Agents are Temporally Blind: The Misalignment Between Tool Use Decisions and Human Time Perception","ref_index":35,"is_internal_anchor":true},{"citing_arxiv_id":"2603.09002","citing_title":"Security Considerations for Multi-agent Systems","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2605.14038","citing_title":"Model-Adaptive Tool Necessity Reveals the Knowing-Doing Gap in LLM Tool Use","ref_index":27,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13213","citing_title":"Hierarchical Attacks for Multi-Modal Multi-Agent Reasoning","ref_index":32,"is_internal_anchor":true},{"citing_arxiv_id":"2605.13044","citing_title":"No Attack Required: Semantic Fuzzing for Specification Violations in Agent Skills","ref_index":31,"is_internal_anchor":true},{"citing_arxiv_id":"2604.03070","citing_title":"Credential Leakage in LLM Agent Skills: A Large-Scale Empirical Study","ref_index":52,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11770","citing_title":"Behavioral Integrity Verification for AI Agent Skills","ref_index":29,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11514","citing_title":"FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems","ref_index":49,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11039","citing_title":"The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck","ref_index":20,"is_internal_anchor":true},{"citing_arxiv_id":"2604.27464","citing_title":"Security Attack and Defense Strategies for Autonomous Agent Frameworks: A Layered Review with OpenClaw as a Case Study","ref_index":34,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03378","citing_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","ref_index":124,"is_internal_anchor":true},{"citing_arxiv_id":"2605.00460","citing_title":"CleanBase: Detecting Malicious Documents in RAG Knowledge Databases","ref_index":86,"is_internal_anchor":true},{"citing_arxiv_id":"2605.00314","citing_title":"Semia: Auditing Agent Skills via Constraint-Guided Representation Synthesis","ref_index":39,"is_internal_anchor":true},{"citing_arxiv_id":"2604.10286","citing_title":"STARS: Skill-Triggered Audit for Request-Conditioned Invocation Safety in Agent Systems","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2604.09378","citing_title":"BadSkill: Backdoor Attacks on Agent Skills via Model-in-Skill Poisoning","ref_index":23,"is_internal_anchor":true},{"citing_arxiv_id":"2605.07135","citing_title":"Demystifying and Detecting Agentic Workflow Injection Vulnerabilities in GitHub Actions","ref_index":16,"is_internal_anchor":true},{"citing_arxiv_id":"2604.04426","citing_title":"ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2604.16762","citing_title":"CapSeal: Capability-Sealed Secret Mediation for Secure Agent Execution","ref_index":13,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":1,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV","json":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV.json","graph_json":"https://pith.science/api/pith-number/XFUQC4S5LY3RKMXHWPBCZ56YKV/graph.json","events_json":"https://pith.science/api/pith-number/XFUQC4S5LY3RKMXHWPBCZ56YKV/events.json","paper":"https://pith.science/paper/XFUQC4S5"},"agent_actions":{"view_html":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV","download_json":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV.json","view_paper":"https://pith.science/paper/XFUQC4S5","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2504.19793&json=true","fetch_graph":"https://pith.science/api/pith-number/XFUQC4S5LY3RKMXHWPBCZ56YKV/graph.json","fetch_events":"https://pith.science/api/pith-number/XFUQC4S5LY3RKMXHWPBCZ56YKV/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/action/timestamp_anchor","attest_storage":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/action/storage_attestation","attest_author":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/action/author_attestation","sign_citation":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/action/citation_signature","submit_replication":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/action/replication_record"}},"created_at":"2026-05-17T23:38:47.173034+00:00","updated_at":"2026-05-17T23:38:47.173034+00:00"}