arxiv: 2512.00520 · v2 · submitted 2025-11-29 · 💻 cs.MA

Recognition: no theorem link

Toward a Safe Internet of Agents

Juan A. Wibowo , George C. Polyzos

Authors on Pith no claims yet

Pith reviewed 2026-05-17 03:12 UTC · model grok-4.3

classification 💻 cs.MA

keywords Internet of Agentsagentic safetymulti-agent systemssystemic risksarchitectural securityAI agentsinteroperable systemsdual-use interfaces

0 comments

The pith

Agentic safety must be co-designed with capability as a fundamental architectural property in interconnected AI systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper seeks to establish a framework for safe AI agents by breaking down interconnected systems into single agents, multi-agent groups, and interoperable networks. It treats each element as a dual-use interface where added capability also widens potential attack surfaces. Readers would care because autonomous agents handling complex tasks could create widespread risks if safety remains an afterthought rather than an integrated feature. The analysis spans models, memory, tools, communication, verification, and governance to derive targeted mitigation principles. This work supports building agent networks that remain reliable as they scale toward an Internet of Agents.

Core claim

Through bottom-up deconstruction of agentic systems and analysis of each component as a dual-use interface across three tiers of increasing interconnection, the paper establishes that agentic safety must be co-designed with capability as a fundamental architectural property. Specific vulnerabilities are identified at the single-agent, multi-agent, and interoperable levels, yielding core mitigation principles that enable the construction of capable yet safe and reliable agentic AI systems.

What carries the argument

Bottom-up deconstruction of agentic systems into components treated as dual-use interfaces where capability growth expands attack surfaces.

If this is right

Single agents gain resilience when guardrails are paired directly with model, memory, and tool expansions.
Multi-agent systems require verification protocols and collective guardrails to manage group-level behaviors.
Interoperable multi-agent systems depend on standardized protocols, registration, resource vetting, and governance structures.
Developers following the co-design principle can reduce systemic risks while advancing agent capabilities.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Agent platforms could incorporate safety metrics alongside capability benchmarks during development.
The component analysis may need adaptation when connecting to existing distributed systems security practices.
Scaled testing environments would help confirm whether component review alone suffices or if emergent interactions require separate simulation.

Load-bearing premise

Deconstructing agentic systems into listed components and treating each as a dual-use interface will capture the dominant sources of systemic risk without missing emergent behaviors that only appear at scale.

What would settle it

Observation of significant safety failures in a large-scale deployment of interconnected agents that cannot be traced to or mitigated through the component-level dual-use analysis.

read the original abstract

Autonomous Artificial Intelligence (AI) agents, powered by Large Language Models (LLMs), advance rapidly toward interconnected systems -- an Internet of Agents (IoA). This vision enables complex problem-solving while introducing systemic safety and security risks. Beyond existing threat taxonomies, we provide a principled guide addressing architectural vulnerability sources. We offer a framework for engineering safe agentic systems through bottom-up deconstruction, analyzing each component as a dual-use interface where capability expansion creates attack surface growth. We examine three tiers: (1) Single Agents -- analyzing inherent risks in models, memory, design patterns, tools, and guardrails; (2) Multi-Agent Systems (MAS) -- examining collective behavior components including architectural patterns, communication mechanisms, verification, and system guardrails; and (3) Interoperable Multi-Agent Systems (IMAS) -- exploring four secure ecosystem pillars: standardized protocols, agent registration/discovery, resource vetting, and governance. Our analysis reveals a central principle: agentic safety must be co-designed with capability as a fundamental architectural property. We identify specific vulnerabilities at each level and derive core mitigation principles. The result is a foundational guide enabling developers and researchers to build not merely capable but safe, reliable agentic AI, contributing to secure IoA development.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives a clear tiered structure for thinking about safety in agent networks but remains too high-level to strongly support its co-design principle.

read the letter

This paper's main contribution is a tiered framework that breaks down safety concerns in an Internet of Agents into single agents, multi-agent systems, and interoperable multi-agent systems. It pushes the idea that safety has to be co-designed with capabilities right from the start, treating each component as a dual-use interface that adds both power and risk. What it does well is organize existing thoughts on agent risks into a single guide. The analysis of components like models, memory, tools, and guardrails for individual agents, then communication and verification for groups, and protocols plus governance for the ecosystem level, gives developers a way to map vulnerabilities systematically. Deriving mitigation principles from that breakdown is a reasonable step and could help move safety from an add-on to part of the design. The paper references prior work on threats and tries to extend it with this structure, which is fair enough for a conceptual piece. The soft spots are clear though. Everything rests on conceptual analysis with no experiments, data, or proofs to check if the suggested mitigations actually lower the risks in practice. The bottom-up deconstruction into listed components might overlook risks that only appear when those parts interact across tiers, such as a tool use in one agent exposing a discovery protocol flaw in the larger system. The central principle about co-design follows from the analysis but lacks a direct argument or example showing why adding safety later would fail at scale. This kind of paper is for researchers and engineers working on building connected agent systems who want a high-level checklist for safety considerations. It won't give them new algorithms or validated techniques, but the organization could spark better architectural thinking. I think it deserves a serious referee. The framework is coherent and the topic is relevant, so feedback could help sharpen the mitigations and address the gaps in evidence.

Referee Report

2 major / 2 minor

Summary. The manuscript offers a conceptual framework for safe agentic AI in the emerging Internet of Agents (IoA). It deconstructs systems bottom-up across three tiers—single agents (models, memory, tools, guardrails), multi-agent systems (MAS; architectural patterns, communication, verification), and interoperable multi-agent systems (IMAS; protocols, registration/discovery, resource vetting, governance)—treating each component as a dual-use interface whose capability growth expands the attack surface. From this analysis the authors derive mitigation principles and the central claim that agentic safety must be co-designed with capability as a fundamental architectural property rather than added post-hoc.

Significance. If the deconstruction and derived principles hold, the work supplies a structured reference that moves beyond existing threat taxonomies toward architectural guidance for developers building reliable IoA components. The explicit mapping of dual-use interfaces across tiers and the identification of concrete vulnerabilities at each level constitute a practical contribution that could inform both research and engineering practice in multi-agent systems.

major comments (2)

[Abstract] Abstract: The central principle that 'agentic safety must be co-designed with capability as a fundamental architectural property' is asserted to follow directly from the component-wise analysis. However, the text provides no explicit argument or worked example demonstrating that emergent risks arising from cross-tier composition (for instance, a single-agent tool invocation triggering an IMAS protocol-level discovery exploit that bypasses per-tier guardrails) cannot be mitigated by post-hoc additions. This step is load-bearing for the claim that co-design is required rather than additive.
[IMAS tier analysis] Section describing the IMAS tier (four secure ecosystem pillars): The pillars of standardized protocols, agent registration/discovery, resource vetting, and governance are each analyzed as dual-use interfaces, yet the manuscript does not examine how failures or exploits at this tier could propagate downward to MAS or single-agent components, nor does it supply a concrete scenario showing why isolated per-pillar mitigations would be insufficient at scale. This interaction analysis is necessary to substantiate that the bottom-up deconstruction captures dominant systemic risks.

minor comments (2)

[Introduction] The manuscript would benefit from explicit citations to prior agent-safety taxonomies and multi-agent verification literature in the introduction or related-work discussion to more clearly delineate the novel architectural contribution from existing work.
Notation for the three tiers (Single Agents, MAS, IMAS) is introduced clearly in the abstract but would be easier to follow if a summary table or diagram were added early in the manuscript to show component overlap across tiers.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thoughtful and constructive review. The comments identify opportunities to strengthen the explicit justification for our central claims. We respond to each major comment below and will incorporate revisions to address the identified gaps.

read point-by-point responses

Referee: [Abstract] Abstract: The central principle that 'agentic safety must be co-designed with capability as a fundamental architectural property' is asserted to follow directly from the component-wise analysis. However, the text provides no explicit argument or worked example demonstrating that emergent risks arising from cross-tier composition (for instance, a single-agent tool invocation triggering an IMAS protocol-level discovery exploit that bypasses per-tier guardrails) cannot be mitigated by post-hoc additions. This step is load-bearing for the claim that co-design is required rather than additive.

Authors: We agree that the manuscript would benefit from an explicit argument and worked example to demonstrate why cross-tier composition risks cannot be fully addressed by post-hoc additions. The bottom-up deconstruction shows dual-use interfaces at each tier, but the interaction effects across tiers are implied rather than illustrated with a concrete case. In the revised manuscript we will add a worked example (likely in a new subsection or expanded discussion) of a single-agent tool call triggering an IMAS discovery exploit that evades per-tier guardrails, thereby substantiating the necessity of co-design as an architectural property. revision: yes
Referee: [IMAS tier analysis] Section describing the IMAS tier (four secure ecosystem pillars): The pillars of standardized protocols, agent registration/discovery, resource vetting, and governance are each analyzed as dual-use interfaces, yet the manuscript does not examine how failures or exploits at this tier could propagate downward to MAS or single-agent components, nor does it supply a concrete scenario showing why isolated per-pillar mitigations would be insufficient at scale. This interaction analysis is necessary to substantiate that the bottom-up deconstruction captures dominant systemic risks.

Authors: We accept that downward propagation from IMAS to lower tiers and a concrete scenario on the limits of isolated mitigations would strengthen the argument for systemic risks. Although the framework is constructed bottom-up, the current IMAS analysis treats the pillars largely in isolation. We will revise the IMAS section to include an explicit discussion of downward propagation (e.g., a governance or discovery failure enabling malicious resources that undermine MAS verification or single-agent guardrails) together with a scenario illustrating why per-pillar mitigations alone are insufficient at ecosystem scale. revision: yes

Circularity Check

0 steps flagged

No circularity: principle follows from independent component analysis

full rationale

The paper conducts a bottom-up deconstruction of agentic systems across single-agent, MAS, and IMAS tiers, treating components (models, memory, tools, protocols, etc.) as dual-use interfaces to identify vulnerabilities and derive the principle that safety must be co-designed with capability. This is a conceptual framework and set of mitigation guidelines rather than a closed mathematical derivation, fitted prediction, or self-referential definition. No equations, parameter fits, or load-bearing self-citations appear in the abstract or described structure; the central claim is presented as an outcome of the explicit tier-by-tier examination, which remains open to external validation and does not reduce to its own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The framework rests on the assumption that agent components can be usefully isolated and analyzed as dual-use interfaces; no free parameters or invented physical entities are introduced, but the deconstruction itself is an organizing assumption not independently validated in the abstract.

axioms (1)

domain assumption Agentic systems can be decomposed into discrete components (models, memory, tools, communication mechanisms, protocols, etc.) whose individual properties determine overall safety.
Invoked when the paper analyzes each tier by examining these components separately.

invented entities (1)

Internet of Agents (IoA) no independent evidence
purpose: Vision of interconnected autonomous AI agents that collaborate on complex tasks.
Introduced as the target environment whose safety risks the framework addresses.

pith-pipeline@v0.9.0 · 5518 in / 1402 out tokens · 34147 ms · 2026-05-17T03:12:14.535615+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Holos: A Web-Scale LLM-Based Multi-Agent System for the Agentic Web
cs.AI 2026-01 unverdicted novelty 6.0

Holos is a five-layer LLM-based multi-agent system architecture using the Nuwa engine for agent generation, a market-driven Orchestrator for coordination, and an endogenous value cycle for incentive-compatible persist...
Security Threat Modeling for Emerging AI-Agent Protocols: A Comparative Analysis of MCP, A2A, Agora, and ANP
cs.CR 2026-02 unverdicted novelty 5.0

The paper identifies twelve protocol-level security risks across MCP, A2A, Agora, and ANP and quantifies wrong-provider tool execution risk in MCP via a measurement-driven case study on multi-server composition.

Reference graph

Works this paper leans on

32 extracted references · 32 canonical work pages · cited by 2 Pith papers · 7 internal anchors

[1]

Altendeitering, S

M. Altendeitering, S. Becker, M. Boiting, R. Brinkhege, T. Guggenberger, M. Mannsfeld, M. Steinert, and D. Tebernum. 2025.Data Spaces and Foundation Models. Tech. rep. Fraunhofer Institute for Software and Systems Engineering ISST. https://www.isst.fraunhofer.de/content/da m/isst/publikationen/whitepaper/data-spaces_and_foundation-models_whitepaper.pdf. Z...

work page arXiv 2025
[2]

https://docs.anthropic.com/en/docs/build-wit h-claude/prompt-engineering/use-xml-tags

(n.d.). https://docs.anthropic.com/en/docs/build-wit h-claude/prompt-engineering/use-xml-tags. R. Arike, E. Donoway, H. Bartsch, and M. Hobbhahn. 2025.Technical Report: Evaluating Goal Drift in Language Model Agents. (2025). https://arxiv.org/abs/2505.02709 arXiv: 2505.02709(cs.AI). E. Bagdasaryan, T.-Y. Hsieh, B. Nassi, and V. Shmatikov. 2023.Abusing Ima...

work page arXiv 2025
[3]

Graph of Thoughts: Solving Elaborate Problems with Large Language Models

“Graph of Thoughts: Solving Elaborate Problems with Large Language Models. ”Proceedings of the AAAI Conference on Artificial Intelligence, 38, 16, (Mar. 2024), 17682–17690. doi:10.1609/aaai.v38i16.29720. B. Cao, C. Li, Y. Cao, Y. Ge, T. Wang, and J. Chen. 2025.You Can’t Steal Nothing: Mitigating Prompt Leakages in LLMs via System Vectors. (2025). https://...

work page doi:10.1609/aaai.v38i16.29720 2024
[4]

Toward a Safe Internet of Agents•37 S. Chen, A. Zharmagambetov, S. Mahloujifar, K. Chaudhuri, D. Wagner, and C. Guo. 2024.SecAlign: Defending Against Prompt Injection with Preference Optimization. (2024). https://arxiv.org/abs/2410.05451 arXiv: 2410.05451(cs.CR). W. Chen, Y. Su, et al.. 2023.AgentVerse: Facilitating Multi-Agent Collaboration and Exploring...

work page arXiv 2024
[5]

Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence

“Internet of Agents: Weaving a Web of Heterogeneous Agents for Collaborative Intelligence. ” In:International Conference on Representation Learning. Ed. by Y. Yue, A. Garg, N. Peng, F. Sha, and R. Yu. Vol. 2025, 36374–36411. https://proceedings.iclr.cc /paper_files/paper/2025/file/59c27bf8d56d3d50c7aeaf7535dee975-Paper-Conference.pdf. M. Cheng, J. Ouyang,...

work page arXiv 2025
[6]

Advanced Artificial Agents Intervene in the Provision of Reward

“Advanced Artificial Agents Intervene in the Provision of Reward. ”AI Magazine, 43, 3, (Aug. 2022), 282–293. doi:10.1002/aaai.12064. J. Cormack and J. Clark. May 2025.Securing Model Context Protocol: Safer Agentic AI with Containers. Accessed: November 18,

work page doi:10.1002/aaai.12064 2022
[7]

https://www.docker.com/blog/whats-next-for-mcp-security/

(May 2025). https://www.docker.com/blog/whats-next-for-mcp-security/. CrewAI Inc.. 2025.CrewAI. https://github.com/crewAIInc/crewAI. (2025). CrewAI Inc.. n.d.(a).Introduction. Build AI agent teams that work together to tackle complex tasks. Accessed: November 18,

work page 2025
[8]

AI Agents Under Threat: A Survey of Key Security Challenges and Future Pathways

“AI Agents Under Threat: A Survey of Key Security Challenges and Future Pathways. ”ACM Comput. Surv., 57, 7, Article 182, (Feb. 2025), 36 pages. doi:10.1145/3716628. S. Dong, S. Xu, P. He, Y. Li, J. Tang, T. Liu, H. Liu, and Z. Xiang. 2025.A Practical Memory Injection Attack against LLM Agents. (2025). https://arxiv.org/abs/2503.03704 arXiv: 2503.03704(cs...

work page doi:10.1145/3716628 2025
[9]

CRITIC: Large Language Models Can Self-Correct with Tool-Interactive Critiquing

(n.d.). https://a2aproject.github.io/A2A/latest/topics/what-is-a2a/. Z. Gou, Z. Shao, Y. Gong, Y. Shen, Y. Yang, N. Duan, and W. Chen. 2024.CRITIC: Large Language Models Can Self-Correct with Tool-Interactive Critiquing. (2024). https://arxiv.org/abs/2305.11738 arXiv: 2305.11738(cs.CL). R. Greenblatt, C. Denison, et al.. 2024.Alignment faking in large lan...

work page internal anchor Pith review Pith/arXiv arXiv 2024
[10]

Reasoning with Language Model is Planning with World Model

“Reasoning with Language Model is Planning with World Model. ” In: Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing. Ed. by H. Bouamor, J. Pino, and K. Bali. Association for Computational Linguistics, Singapore, (Dec. 2023), 8154–8173. doi:10.18653/v1/2023.emnlp-main.507. S. Hao, T. Liu, Z. Wang, and Z. Hu. 2024.Toolk...

work page doi:10.18653/v1/2023.emnlp-main.507 2023
[11]

Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions

“The Emerged Security and Privacy of LLM Agent: A Survey with Case Studies. ” ACM Comput. Surv., (Oct. 2025). Just Accepted. doi:10.1145/3773080. X. Hou, Y. Zhao, S. Wang, and H. Wang. 2025.Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions. (2025). https://arxiv.org/abs/2503.23278 arXiv: 2503.23278(cs.CR). S. Hu, C....

work page internal anchor Pith review Pith/arXiv arXiv doi:10.1145/3773080 2025
[12]

Understanding the planning of LLM agents: A survey

“A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions. ” ACM Transactions on Information Systems, 43, 2, (Jan. 2025), 1–55. doi:10.1145/3703155. X. Huang, W. Liu, X. Chen, X. Wang, H. Wang, D. Lian, Y. Wang, R. Tang, and E. Chen. 2024.Understanding the planning of LLM agents: A survey. (2024). https://ar...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.1145/3703155 2025
[13]

AI safety via debate

(n.d.). https://langchain-ai.github.io/langgraph/concepts/low_level/. G. Irving, P. Christiano, and D. Amodei. 2018.AI safety via debate. (2018). https://arxiv.org/abs/1805.00899 arXiv: 1805.00899(stat.ML). A. Jacovi, A. Caciularu, J. Herzig, R. Aharoni, B. Bohnet, and M. Geva. 2023.A Comprehensive Evaluation of Tool-Assisted Generation Strategies. (2023)...

work page internal anchor Pith review Pith/arXiv arXiv 2018
[14]

(n.d.). A. Lazaridou, E. Gribovskaya, W. Stokowiec, and N. Grigorev. 2022.Internet-augmented language models through few-shot prompting for open-domain question answering. (2022). https://arxiv.org/abs/2203.05115 arXiv: 2203.05115(cs.CL). G. Li, H. A. A. K. Hammoud, H. Itani, D. Khizbullin, and B. Ghanem. 2023.CAMEL: Communicative Agents for "Mind" Explor...

work page arXiv 2022
[15]

https://modelcontextprotocol.io/introduction

(n.d.). https://modelcontextprotocol.io/introduction. S. R. Motwani, M. Baranchuk, M. Strohmeier, V. Bolina, P. H. S. Torr, L. Hammond, and C. S. de Witt. 2025.Secret Collusion among AI Agents: Multi-Agent Deception via Steganography. (2025). https://arxiv.org/abs/2402.07510 arXiv: 2402.07510(cs.AI). L. Muscariello, V. Pandey, and R. Polic. 2025.The AGNTC...

work page arXiv 2025
[16]

Ed. by L. Chiruzzo, A. Ritter, and L. Wang. Association for Computational Linguistics, Albuquerque, New Mexico, (Apr. 2025), 6484–6509.isbn: 979-8-89176-195-7. doi:10.18653/v1/2025.findings-naacl.363. G. C. Necula

work page doi:10.18653/v1/2025.findings-naacl.363 2025
[17]

Proof-carrying code

“Proof-carrying code. ” In:Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages(POPL ’97). Association for Computing Machinery, Paris, France, 106–119.isbn: 0897918533. doi:10.1145/263699.263712. S. M. Omohundro

work page doi:10.1145/263699.263712
[18]

The Basic AI Drives

“The Basic AI Drives. ” In:Proceedings of the 2008 Conference on Artificial General Intelligence 2008: Proceedings of the First AGI Conference. IOS Press, NLD, 483–492.isbn: 9781586038335. OpenAI. n.d.(a).A practical guide to building agents. Accessed: November 18,

work page 2008
[19]

Gorilla: Large Language Model Connected with Massive APIs

(n.d.). https://platform.openai.com/docs/guides/structured-outputs. OpenBMB. 2025.AgentVerse. https://github.com/OpenBMB/AgentVerse. (2025). V. Pandey. Aug. 2025.The Internet of Agents. Tech. rep. Outshift by Cisco, (Aug. 2025). https://outshift-headless-cms-s3.s3.us-east-2.amazona ws.com/Internet_of_Agents_Whitepaper.pdf. S. G. Patil, T. Zhang, X. Wang, ...

work page internal anchor Pith review Pith/arXiv arXiv 2025
[20]

(n.d.). X. Qi, K. Huang, A. Panda, P. Henderson, M. Wang, and P. Mittal. 2023.Visual Adversarial Examples Jailbreak Aligned Large Language Models. (2023). https://arxiv.org/abs/2306.13213 arXiv: 2306.13213(cs.CR). R. Raskar et al.. 2025.Beyond DNS: Unlocking the Internet of AI Agents via the NANDA Index and Verified AgentFacts. (2025). https://arxiv.org/a...

work page arXiv 2023
[21]

A Systematic Survey of Prompt Engineering in Large Language Models: Techniques and Applications

(2021). https://cset.georgetown.edu/wp-content/uploads/Key-Concepts-in-AI-Safety-Specification-in-Machine-Learning.pdf. P. Sahoo, A. K. Singh, S. Saha, V. Jain, S. Mondal, and A. Chadha. 2025.A Systematic Survey of Prompt Engineering in Large Language Models: Techniques and Applications. (2025). https://arxiv.org/abs/2402.07927 arXiv: 2402.07927(cs.AI). T...

work page internal anchor Pith review Pith/arXiv arXiv doi:10.1145/3658644.3670388 2021
[22]

Sponge Examples: Energy-Latency Attacks on Neural Networks

“Sponge Examples: Energy-Latency Attacks on Neural Networks. ” In:2021 IEEE European Symposium on Security and Privacy (EuroS&P), 212–231. doi:10.1109/EuroSP51992.2021.00024. I. Singh, V. Blukis, A. Mousavian, A. Goyal, D. Xu, J. Tremblay, D. Fox, J. Thomason, and A. Garg. 2022.ProgPrompt: Generating Situated Robot Task Plans using Large Language Models. ...

work page doi:10.1109/eurosp51992.2021.00024 2021
[23]

South, S

40•Wibowo and Polyzos T. South, S. Marro, T. Hardjono, R. Mahari, C. D. Whitney, D. Greenwood, A. Chan, and A. Pentland. 2025.Authenticated Delegation and Authorized AI Agents. (2025). https://arxiv.org/abs/2501.09674 arXiv: 2501.09674(cs.CY). I. Stoica et al.. 2024.Specifications: The missing link to making the development of LLM systems an engineering d...

work page arXiv 2025
[24]

Unique Security and Privacy Threats of Large Language Models: A Comprehensive Survey

“Unique Security and Privacy Threats of Large Language Models: A Comprehensive Survey. ”ACM Comput. Surv., 58, 4, Article 83, (Oct. 2025), 36 pages. doi:10.1145/3764113. S. Wang, R. Raskar, M. Lambe, P. Chari, R. Singhal, S. Gupta, R. Ranjan, and K. Huang. 2025.Using the NANDA Index Architecture in Practice: An Enterprise Perspective. (2025). https://arxi...

work page doi:10.1145/3764113 2025
[25]

Internet of Agents: Fundamentals, Applications, and Challenges

“Internet of Agents: Fundamentals, Applications, and Challenges. ”IEEE Transactions on Cognitive Communications and Networking, 1–1. doi:10.1109/tccn.2025.3623369. Y. Wang, Y. Pan, S. Guo, and Z. Su

work page doi:10.1109/tccn.2025.3623369 2025
[26]

Security of Internet of Agents: Attacks and Countermeasures

“Security of Internet of Agents: Attacks and Countermeasures. ”IEEE Open Journal of the Computer Society, 6, 1611–1624. doi:10.1109/OJCS.2025.3589638. J. Wei, X. Wang, D. Schuurmans, M. Bosma, B. Ichter, F. Xia, E. Chi, Q. Le, and D. Zhou. 2023.Chain-of-Thought Prompting Elicits Reasoning in Large Language Models. (2023). https://arxiv.org/abs/2201.11903 ...

work page doi:10.1109/ojcs.2025.3589638 2025
[27]

Generative Text Steganography with Large Language Model

“Generative Text Steganography with Large Language Model. ” In:Proceedings of the 32nd ACM International Conference on Multimedia(MM ’24). ACM, (Oct. 2024), 10345–10353. doi:10.1145/3664647.3680562. Q. Wu et al.. 2023.AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation. (2023). https://arxiv.org/abs/2308.08155 arXiv: 2308.08155(cs.AI)...

work page doi:10.1145/3664647.3680562 2024
[28]

Tree of Thoughts: Deliberate Problem Solving with Large Language Models

“Language Agents. ” Princeton University, Princeton, NJ, (May 2024). S. Yao, D. Yu, J. Zhao, I. Shafran, T. L. Griffiths, Y. Cao, and K. Narasimhan. 2023.Tree of Thoughts: Deliberate Problem Solving with Large Language Models. (2023). https://arxiv.org/abs/2305.10601 arXiv: 2305.10601(cs.CL). S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. Narasimhan, and Y...

work page internal anchor Pith review Pith/arXiv arXiv 2024
[29]

Breaking Agents: Compromising Autonomous LLM Agents Through Malfunction Amplification

“Breaking Agents: Compromising Autonomous LLM Agents Through Malfunction Amplification. ” In:Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing. Ed. by C. Christodoulopoulos, T. Chakraborty, C. Rose, and V. Peng. Association for Computational Linguistics, Suzhou, China, (Nov. 2025), 34952–34964.isbn: 979-8-89176-332-6. ...

work page doi:10.18653/v1/2025.emnlp-main.1771 2025
[30]

Zhang, K

Toward a Safe Internet of Agents•41 Y. Zhang, K. Chen, J. Gao, R. Cui, R. Wang, L. Wang, and T. Zhang. 2025.Towards Action Hijacking of Large Language Model-based Agent. (2025). https://arxiv.org/abs/2412.10807 arXiv: 2412.10807(cs.CR). Z. Zhao, W. S. Lee, and D. Hsu

work page arXiv 2025
[31]

Curran Associates Inc., New Orleans, LA, USA, 21 pages. H. Zhou, X. Wan, R. Sun, H. Palangi, S. Iqbal, I. Vulić, A. Korhonen, and S. Ö. Arık. 2025.Multi-Agent Design: Optimizing Agents with Better Prompts and Topologies. (2025). https://arxiv.org/abs/2502.02533 arXiv: 2502.02533(cs.LG). M. Zhuge, W. Wang, L. Kirsch, F. Faccio, D. Khizbullin, and J. Schmid...

work page arXiv 2025
[32]

Adversarial Attacks on Neural Networks for Graph Data

“Adversarial Attacks on Neural Networks for Graph Data. ” In:Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining(KDD ’18). Association for Computing Machinery, London, United Kingdom, 2847–2856.isbn: 9781450355520. doi:10.1145/3219819.3220078. A Reproducibility Checklist for JAIR Select the answers that apply t...

work page doi:10.1145/3219819.3220078 2025