{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:XFUQC4S5LY3RKMXHWPBCZ56YKV","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf"},"schema_version":"1.0","source":{"id":"2504.19793","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"arxiv_version","alias_value":"2504.19793v3","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2504.19793","created_at":"2026-05-17T23:38:47Z"},{"alias_kind":"pith_short_12","alias_value":"XFUQC4S5LY3R","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"XFUQC4S5LY3RKMXH","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"XFUQC4S5","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a","target":"graph","created_at":"2026-05-17T23:38:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools."}],"snapshot_sha256":"d4644f54b8a411dddf834c564570e6e971847fdbbdd63616197ffd1a7c8ecd50"},"formal_canon":{"evidence_count":1,"snapshot_sha256":"30024c40f4bbda28ef936fe596e5c8db2284da869bba8f9efcb713aa19151211"},"paper":{"abstract_excerpt":"Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \\emph{retrieval} and \\emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \\textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafti","authors_text":"Guiyao Tie, Jiawen Shi, Lichao Sun, Neil Zhenqiang Gong, Pan Zhou, Zenghui Yuan","cross_cats":[],"headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title":"Prompt Injection Attack to Tool Selection in LLM Agents"},"references":{"count":89,"internal_anchors":21,"resolved_work":89,"sample":[{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":1,"title":"Mind2web: Towards a generalist agent for the web,","work_id":"c5619498-3e80-4a16-9c61-fe6255c5f11c","year":2024},{"cited_arxiv_id":"2307.12856","doi":"","is_internal_anchor":true,"ref_index":2,"title":"A Real-World WebAgent with Planning, Long Context Understanding, and Program Synthesis","work_id":"0915d1fc-bc46-4128-871e-f9233dca44b6","year":2023},{"cited_arxiv_id":"2405.15793","doi":"","is_internal_anchor":true,"ref_index":3,"title":"SWE-agent: Agent-Computer Interfaces Enable Automated Software Engineering","work_id":"01826cd9-a652-403c-a2ec-531da9fe2b6a","year":2024},{"cited_arxiv_id":"2308.00352","doi":"","is_internal_anchor":true,"ref_index":4,"title":"MetaGPT: Meta Programming for A Multi-Agent Collaborative Framework","work_id":"891b9780-a800-4e3c-bba0-53597ab8dc98","year":2023},{"cited_arxiv_id":"2305.15334","doi":"","is_internal_anchor":true,"ref_index":5,"title":"Gorilla: Large Language Model Connected with Massive APIs","work_id":"126a464a-4a73-495f-b669-de1e44aa8f09","year":2023}],"snapshot_sha256":"59843b707639bdf15764d8f5bb26719a77b453508c72de5b7b5e83c9eee33449"},"source":{"id":"2504.19793","kind":"arxiv","version":3},"verdict":{"created_at":"2026-05-16T17:04:47.406337Z","id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2","model_set":{"reader":"grok-4.3"},"one_line_summary":"ToolHijacker optimizes malicious tool documents via a two-phase strategy to hijack LLM agents' tool selection in no-box settings.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"ToolHijacker injects optimized malicious tool documents to force LLM agents to select attacker-chosen tools.","strongest_claim":"ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection.","weakest_assumption":"The attacker can successfully inject a malicious tool document into the agent's tool library, and the LLM's retrieval-plus-selection process remains vulnerable to prompt injection through that document in no-box scenarios."}},"verdict_id":"e87bbfac-73db-4863-90d5-18b6f5f5b4b2"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3","target":"record","created_at":"2026-05-17T23:38:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"0684b0018f8a4ccc3173dcc6c48a06d7041ac42096f90559f60f6c38b93d7c3e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2025-04-28T13:36:43Z","title_canon_sha256":"6ca23ef6e0dbc0b583009bdb339b7972c0c31fedcf7570f20c13530b042639bf"},"schema_version":"1.0","source":{"id":"2504.19793","kind":"arxiv","version":3}},"canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b96901725d5e371532e7b3c22cf7d8554323f3b645c668e74656b6870c1d1ef3","first_computed_at":"2026-05-17T23:38:47.172959Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:38:47.172959Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"YRlQucsaKH96yJJ/EtFrbkEIk13/2d/DK4ZFThIQGdxlx+1RqO5J1Q2T8ArloSYvs2In9bBvqS0z6ifeNYOYAA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:38:47.173416Z","signed_message":"canonical_sha256_bytes"},"source_id":"2504.19793","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:7ec3b1f3a2d8086c60a4af1912f7ba9ae4951516b49a6f3dedde0a42bf43ffb3","sha256:0c197144a3b3535c9b94be4d2fbb1225df6873d9b900ff55cfb3e5743e5c978a"],"state_sha256":"b5cd46844576d76717ffb5cbf87d20d47a038574393224385d3ef0f441f3ceae"}