{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2026:ZWEK6PPEF2CTLY2Y6JOBKHCDR3","short_pith_number":"pith:ZWEK6PPE","schema_version":"1.0","canonical_sha256":"cd88af3de42e8535e358f25c151c438ec2b1f739468f8e456d3c6312634a39d6","source":{"kind":"arxiv","id":"2605.22001","version":1},"attestation_state":"computed","paper":{"title":"Blind Spots in the Guard: How Domain-Camouflaged Injection Attacks Evade Detection in Multi-Agent LLM Systems","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI","cs.CL"],"primary_cat":"cs.CR","authors_text":"Aaditya Pai","submitted_at":"2026-05-21T04:58:11Z","abstract_excerpt":"Injection detectors deployed to protect LLM agents are calibrated on static, template-based payloads that announce themselves as override directives. We identify a systematic blind spot: when payloads are generated to mimic the domain vocabulary and authority structures of the target document, what we call domain camouflaged injection, standard detectors fail to flag them, with detection rates dropping from 93.8% to 9.7% on Llama 3.1 8B and from 100% to 55.6% on Gemini 2.0 Flash. We formalize this as the Camouflage Detection Gap (CDG), the difference in injection detection rate between static "},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":false,"formal_links_present":false},"canonical_record":{"source":{"id":"2605.22001","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-21T04:58:11Z","cross_cats_sorted":["cs.AI","cs.CL"],"title_canon_sha256":"d17ebf0f7ec5e74331106e1a596f68b40a5b8eac2706b778f3a08b92a7f0548f","abstract_canon_sha256":"7008754e408ae84088d370d24a5938e9a2b82613f41cb9fbfc582c671a23ebed"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-22T01:04:19.868911Z","signature_b64":"btnsi4s7wvpEFGw8rtz5VoVzkm0t29Xw4W9LbIL6FuwVfQbf1/maL+heSa1hLM2FhumRuDRLs6DQCQmfvGgrCg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"cd88af3de42e8535e358f25c151c438ec2b1f739468f8e456d3c6312634a39d6","last_reissued_at":"2026-05-22T01:04:19.868214Z","signature_status":"signed_v1","first_computed_at":"2026-05-22T01:04:19.868214Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Blind Spots in the Guard: How Domain-Camouflaged Injection Attacks Evade Detection in Multi-Agent LLM Systems","license":"http://creativecommons.org/licenses/by/4.0/","headline":"","cross_cats":["cs.AI","cs.CL"],"primary_cat":"cs.CR","authors_text":"Aaditya Pai","submitted_at":"2026-05-21T04:58:11Z","abstract_excerpt":"Injection detectors deployed to protect LLM agents are calibrated on static, template-based payloads that announce themselves as override directives. We identify a systematic blind spot: when payloads are generated to mimic the domain vocabulary and authority structures of the target document, what we call domain camouflaged injection, standard detectors fail to flag them, with detection rates dropping from 93.8% to 9.7% on Llama 3.1 8B and from 100% to 55.6% on Gemini 2.0 Flash. We formalize this as the Camouflage Detection Gap (CDG), the difference in injection detection rate between static "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.22001","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.22001/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2605.22001","created_at":"2026-05-22T01:04:19.868367+00:00"},{"alias_kind":"arxiv_version","alias_value":"2605.22001v1","created_at":"2026-05-22T01:04:19.868367+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.22001","created_at":"2026-05-22T01:04:19.868367+00:00"},{"alias_kind":"pith_short_12","alias_value":"ZWEK6PPEF2CT","created_at":"2026-05-22T01:04:19.868367+00:00"},{"alias_kind":"pith_short_16","alias_value":"ZWEK6PPEF2CTLY2Y","created_at":"2026-05-22T01:04:19.868367+00:00"},{"alias_kind":"pith_short_8","alias_value":"ZWEK6PPE","created_at":"2026-05-22T01:04:19.868367+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":0,"internal_anchor_count":0,"sample":[]},"formal_canon":{"evidence_count":0,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3","json":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3.json","graph_json":"https://pith.science/api/pith-number/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/graph.json","events_json":"https://pith.science/api/pith-number/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/events.json","paper":"https://pith.science/paper/ZWEK6PPE"},"agent_actions":{"view_html":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3","download_json":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3.json","view_paper":"https://pith.science/paper/ZWEK6PPE","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2605.22001&json=true","fetch_graph":"https://pith.science/api/pith-number/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/graph.json","fetch_events":"https://pith.science/api/pith-number/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/action/timestamp_anchor","attest_storage":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/action/storage_attestation","attest_author":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/action/author_attestation","sign_citation":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/action/citation_signature","submit_replication":"https://pith.science/pith/ZWEK6PPEF2CTLY2Y6JOBKHCDR3/action/replication_record"}},"created_at":"2026-05-22T01:04:19.868367+00:00","updated_at":"2026-05-22T01:04:19.868367+00:00"}