{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","short_pith_number":"pith:XFUQC4S5","canonical_record":{"source":{"id":"2504.19793","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","cross_cats_sorted":[],"title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf","abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e"},"schema_version":"1.0"},"canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","source":{"kind":"arxiv","id":"2504.19793","version":3},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"arxiv_version","alias_value":"2504.19793v3","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"pith_short_12","alias_value":"XFUQC4S5LY3R","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"XFUQC4S5LY3RKMXH","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"XFUQC4S5","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","target":"record","payload":{"canonical_record":{"source":{"id":"2504.19793","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","cross_cats_sorted":[],"title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf","abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e"},"schema_version":"1.0"},"canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:47.173416Z","signature_b64":"YRlQucsaKH96yJJ/EtFrbkEIk13/2d/DK4ZFThIQGdxlx+1RqO5J1Q2T8ArloSYvs2In9bBvqS0z6ifeNYOYAA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","last_reissued_at":"2026-05-17T23:38:47.172959Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:47.172959Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2504.19793","source_version":3,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:47Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"Og+/1ymuCbVaPOXzVe0uh6kaW5zhug5sIlXJWmLbBkt0fsdiwxG5l9A540I+Ib566HlH0pWfkUPyuF6+FUfDBQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-01T03:53:25.587655Z"},"content_sha256":"7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3","schema_version":"1.0","event_id":"sha256:7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Prompt Injection Attack to Tool Selection in LLM Agents","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","submitted_at":"2025-04-28T13:36:43Z","abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"d4644f54b8a411dddf834c564570e6e971847fdbbdd63616197ffd1a7c8ecd50"},"source":{"id":"2504.19793","kind":"arxiv","version":3},"verdict":{"id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T17:04:47.406337Z","strongest_claim":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios.","pith_extraction_headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools."},"references":{"count":89,"sample":[{"doi":"","year":2024,"title":"Mind2web: Towards a generalist agent for the web,","work_id":"c5619498-3e80-4a16-9c61-fe6255c5f11c","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis","work_id":"0915d1fc-bc46-4128-871e-f9233dca44b6","ref_index":2,"cited_arxiv_id":"2307.12856","is_internal_anchor":true},{"doi":"","year":2024,"title":"SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering","work_id":"01826cd9-a652-403c-a2ec-531da9fe2b6a","ref_index":3,"cited_arxiv_id":"2405.15793","is_internal_anchor":true},{"doi":"","year":2023,"title":"MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework","work_id":"891b9780-a800-4e3c-bba0-53597ab8dc98","ref_index":4,"cited_arxiv_id":"2308.00352","is_internal_anchor":true},{"doi":"","year":2023,"title":"Gorilla: Large Language Model Connected with Massive APIs","work_id":"126a464a-4a73-495f-b669-de1e44aa8f09","ref_index":5,"cited_arxiv_id":"2305.15334","is_internal_anchor":true}],"resolved_work":89,"snapshot_sha256":"59843b707639bdf15764d8f5bb26719a77b453508c72de5b7b5e83c9eee33449","internal_anchors":21},"formal_canon":{"evidence_count":1,"snapshot_sha256":"30024c40f4bbda28ef936fe596e5c8db2284da869bba8f9efcb713aa19151211"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:38:47Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"41FceGpzpMK8LmhjJypeF9jcood6+KJIVQesH0+hU+ukHy+nsCMssrlOZ11y4jTQULdMG5SWFvnYDwQZqi/LAg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-01T03:53:25.588169Z"},"content_sha256":"0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a","schema_version":"1.0","event_id":"sha256:0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/bundle.json","state_url":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-01T03:53:25Z","links":{"resolver":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV","bundle":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/bundle.json","state":"https://pith.science/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/state.json","well_known_bundle":"https://pith.science/.well-known/pith/XFUQC4S5LY3RKMXHWPBCZ56YKV/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf"},"schema_version":"1.0","source":{"id":"2504.19793","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"arxiv_version","alias_value":"2504.19793v3","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"pith_short_12","alias_value":"XFUQC4S5LY3R","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"XFUQC4S5LY3RKMXH","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"XFUQC4S5","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a","target":"graph","created_at":"2026-05-17T23:38:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools."}],"snapshot_sha256":"d4644f54b8a411dddf834c564570e6e971847fdbbdd63616197ffd1a7c8ecd50"},"formal_canon":{"evidence_count":1,"snapshot_sha256":"30024c40f4bbda28ef936fe596e5c8db2284da869bba8f9efcb713aa19151211"},"paper":{"abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","cross_cats":[],"headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title":"Prompt Injection Attack to Tool Selection in LLM Agents"},"references":{"count":89,"internal_anchors":21,"resolved_work":89,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Mind2web: Towards a generalist agent for the web,","work_id":"c5619498-3e80-4a16-9c61-fe6255c5f11c","year":2024},{"cited_arxiv_id":"2307.12856","doi":"","is_internal_anchor":true,"ref_index":2,"title":"A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis","work_id":"0915d1fc-bc46-4128-871e-f9233dca44b6","year":2023},{"cited_arxiv_id":"2405.15793","doi":"","is_internal_anchor":true,"ref_index":3,"title":"SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering","work_id":"01826cd9-a652-403c-a2ec-531da9fe2b6a","year":2024},{"cited_arxiv_id":"2308.00352","doi":"","is_internal_anchor":true,"ref_index":4,"title":"MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework","work_id":"891b9780-a800-4e3c-bba0-53597ab8dc98","year":2023},{"cited_arxiv_id":"2305.15334","doi":"","is_internal_anchor":true,"ref_index":5,"title":"Gorilla: Large Language Model Connected with Massive APIs","work_id":"126a464a-4a73-495f-b669-de1e44aa8f09","year":2023}],"snapshot_sha256":"59843b707639bdf15764d8f5bb26719a77b453508c72de5b7b5e83c9eee33449"},"source":{"id":"2504.19793","kind":"arxiv","version":3},"verdict":{"created_at":"2026-05-16T17:04:47.406337Z","id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2","model_set":{"reader":"grok-4.3"},"one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","strongest_claim":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","weakest_assumption":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios."}},"verdict_id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3","target":"record","created_at":"2026-05-17T23:38:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf"},"schema_version":"1.0","source":{"id":"2504.19793","kind":"arxiv","version":3}},"canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","first_computed_at":"2026-05-17T23:38:47.172959Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:38:47.172959Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"YRlQucsaKH96yJJ/EtFrbkEIk13/2d/DK4ZFThIQGdxlx+1RqO5J1Q2T8ArloSYvs2In9bBvqS0z6ifeNYOYAA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:38:47.173416Z","signed_message":"canonical_sha256_bytes"},"source_id":"2504.19793","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3","sha256:0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a"],"state_sha256":"b5cd46844576d76717ffb5cbf87d20d47a038574393224385d3ef0f441f3ceae"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"MZiaLY1SbapDKHkjq/v2qJ+EB+ga0aJYG4KulDEc8WpuUKh3eMclETsrbOKerWDmB8y7tBF75dSYDTHtI4nLCQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-01T03:53:25.590778Z","bundle_sha256":"688f37bbd33aaabe683cc0dc612d9d8ca300d0957ae70a725a92be784afbf05b"}}