π‘οΈ A curated list of resources on securing AI agent tool use and skill ecosystems β attacks, defenses, frameworks, benchmarks, and standards.
AI agents increasingly use external tools, plugins, and skills to interact with the world. This creates a new attack surface: agent skills security. This list covers the threats, defenses, and research landscape for securing these capabilities.
- Threat Frameworks & Standards
- Surveys & Systematizations
- Attack Research
- Defense Research
- Benchmarks & Datasets
- Tools & Frameworks
- Agent Skill Specifications
- Industry Reports & Blog Posts
- Related Awesome Lists
- Contributing
- OWASP Agentic AI Threats and Mitigations β First in a series from the OWASP Agentic Security Initiative (ASI), providing threat-model-based reference for agentic threats.
- OWASP Top 10 for LLM Applications β Includes LLM01: Prompt Injection, LLM06: Excessive Agency, LLM07: Insecure Plugin Design, LLM08: Excessive Autonomy.
- MITRE ATLASβ’ β Adversarial Threat Landscape for AI Systems. Tactics, techniques, and case studies for attacks on ML/AI systems.
- NIST AI Risk Management Framework β Federal framework for managing AI risks, including autonomous agent risks.
- NIST SP 800-218A: Secure Software Development for AI β Secure development practices specific to AI-enabled systems.
- EU AI Act β European regulation with specific provisions for high-risk AI systems including autonomous agents.
- Anthropic Responsible Scaling Policy β AI Safety Levels (ASL) framework addressing agent capability thresholds.
- IETF draft-klrc-aiagent-auth-01: AI Agent Authentication and Authorization β Kasselman et al., IETF WIMSE-adjacent, 2026. Proposes a model for authentication and authorization of AI agent interactions using existing OAuth 2.0 and WIMSE standards; covers delegation chains, agent identity, and trust establishment without defining new protocols.
- IETF draft-niyikiza-oauth-attenuating-agent-tokens-00: Attenuating Authorization Tokens for Agentic Delegation Chains β Niyikiza (Tenuo), OAuth WG, March 2026. Defines Attenuating Authorization Tokens (AATs): JWT-based credentials encoding tool-level argument constraints with a cryptographically enforced monotonic attenuation invariant β any holder can derive a more restrictive token but never a more permissive one. Extends Rich Authorization Requests (RFC 9396) with delegation-chain semantics.
- π Certifying Ghosts: How Cybersecurity AI Agents Break the EU Cyber Resilience Act β Mayoral-Vilches, 2026. Argues autonomous vulnerability-discovery-and-exploitation agents invalidate the EU Cyber Resilience Act's core assumptions of slow, human-paced disclosure and fixed product security states, contending that because attackers and defenders now wield identical AI capabilities, meaningful compliance requires continuous agent-operated monitoring rather than static certification.
- π A Survey on LLM-based Autonomous Agents: Common Attacks and Defenses β Wu et al., 2024. Comprehensive taxonomy of attacks on LLM agents across perception, cognition, and action stages.
- π Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents β Zhang et al., 2024. Formalization of 10 attack scenarios, 10 agents, 398 adversarial environments.
- π Security of AI Agents β He et al., 2024. Systematization of knowledge covering threat models for AI agents with tool access.
- π Not All Agents Are Created Equal: A Survey on Software-use Agent Security β Hua et al., 2025. Survey specifically on software-use agents and their unique security challenges.
- π A Survey on the Honesty of Large Language Models β Xie et al., 2024. Covers agent deception, sycophancy, and honesty in tool-use contexts.
- π A Comprehensive Study of Jailbreak Attack versus Defense for Large Language Models β Xu et al., 2024. Systematic study of jailbreak attacks relevant to agent guardrail bypass.
- π Prompt Injection Attacks and Defenses in LLM-Integrated Applications β Liu et al., 2024. Comprehensive taxonomy of injection attacks across direct and indirect vectors.
- π The Emerged Security and Privacy of LLM Agent: A Survey with Case Studies β Gan et al., 2024. Survey with practical case studies of security failures.
- π Self-Evolving Agents: A Survey β Gao et al., 2025. How self-evolving agents create emergent security risks.
- π Safety in Self-Evolving LLM Agent Systems: Threats, Amplification, and Case Studies β Lin et al., 2026. Uses a Module-Lifecycle Attack Surface matrix to show self-evolution transforms attack persistence from session-bounded to permanent β adversarial effects become encoded across generations, self-amplify, and propagate through agent populations without sustained attacker access, with 17 of 25 attack vectors rated critical.
- π From Thinker to Society: Security in Hierarchical Autonomy Evolution of AI Agents β Zhang et al., 2026. Hierarchical Autonomy Evolution (HAE) framework organizing agent security into cognitive, execution, and societal tiers.
- π Characterizing Faults in Agentic AI: A Taxonomy of Types, Symptoms, and Root Causes β Shah et al., 2026. Empirical taxonomy of reliability failures in agentic AI systems combining LLM reasoning with tool invocation.
- π Security Considerations for Multi-agent Systems β 2026. Systematic threat landscape of MAS with 193 threat items across 9 categories; evaluates 16 frameworks finding none achieves majority coverage.
- π The Attack and Defense Landscape of Agentic AI: A Comprehensive Survey β Kim et al., USENIX Security 2026. First systematic survey of AI agent security covering design space, attack landscape, and defense mechanisms with case studies on securing agentic systems.
- π Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats β Deng et al., 2026. Five-layer lifecycle-oriented security framework analyzing compound threats across initialization, input, inference, decision, and execution stages of autonomous LLM agents.
- π OpenClaw as Language Infrastructure: A Case-Centered Survey of a Public Agent Ecosystem in the Wild β He et al., Preprints 2026. Case-centered survey of the OpenClaw public-agent ecosystem whose Security dimension synthesizes governance, skill-supply-chain (ClawHub), and deployment risks of an open skill ecosystem alongside Platform, Societies, and Deployment.
- π AgenticCyOps: Securing Multi-Agentic AI Integration in Enterprise Cyber Operations β Mitra et al., 2026. Holistic architectural security framework decomposing attack surfaces across component, coordination, and ecosystem layers of enterprise multi-agent systems.
- π MCP-in-SoS: Risk Assessment Framework for Open-Source MCP Servers β Kumar et al., 2026. System-of-systems risk assessment framework for evaluating security risks of open-source MCP server deployments in production agent systems.
- π SoK: The Attack Surface of Agentic AI β Tools, and Autonomy β Dehghantanha & Homayoun, 2026. Systematization mapping trust boundaries and security risks of agentic LLM systems; proposes taxonomy spanning prompt injection, RAG poisoning, tool exploits, and multi-agent threats with metrics like Unsafe Action Rate and Privilege Escalation Distance.
- π Toward Secure LLM Agents: Threat Surfaces, Attacks, Defenses, and Evaluation β Ling et al., 2026. Systems-oriented synthesis of 247 papers organizing LLM agent security around information flow, delegated authority, and persistent state, identifying prompt injection and tool-mediated hijacking as dominant threats while flagging emerging state-corruption and multi-agent propagation risks.
- π Data Agents Under Attack: Vulnerabilities in LLM-Driven Analytical Systems β Wang et al., 2026. Systematic security study of LLM data agents identifying eight risks across interpretation, execution, and policy layers plus an attack taxonomy of fourteen techniques, demonstrating substantial gaps across six open-source and production analytics platforms.
- π Agents That Know Too Much: A Data-Centric Survey of Privacy in LLM Agents β Lahjouji & Colaco, 2026. Organizes privacy research in LLM agents around data sources rather than attack types β spanning database queries, external APIs, and inter-agent communication β and identifies governance gaps including the need for information-flow control and benchmarks covering an agent's complete data ecosystem.
- π Security Engineering of OpenClaw: Analyzing Attack Surface Expansion and Trust-Boundary Violations β Jamshidi et al., 2026. Empirical security analysis of a self-hosted multi-agent LLM system where model outputs trigger privileged operations, measuring compromise probability, boundary failures, and privilege drift as attacker capability and agent count scale.
- π LLM Agents Security Duality: A Comprehensive Survey of Self-Security and Empowered Cybersecurity β Xu et al., 2026. 73-page survey mapping the dual role of LLM agents in security β cataloguing agent-facing vulnerabilities and mitigations while examining how the same agents empower offensive and defensive cybersecurity, and highlighting the tension between self-protection and capability.
- π Agent Security Meets Regulatory Reality: A Practitioner Systematization of Autonomous-Agent Threats and Controls in Regulated Financial Systems β Mohan & Srinivasa, 2026. Maps agentic threats (prompt injection, agent identity, auditability, tool abuse, data residency) to financial-sector regulatory requirements and documents production agent-to-agent patterns and controls for compliance-bound deployments.
- π The Balkanization of Execution-Security Research for AI Coding Agents: Isolation, Access Control, and Time-of-Check-to-Time-of-Use Vulnerabilities β Rashidi, 2026. Systematizes 39 execution-security papers (2023β2026) on AI coding agents that read repositories, call tools, and run shell commands with limited oversight, exposing fragmentation across isolation, access control, TOCTOU, and MCP threat research along with five critical gaps including the absence of shared benchmarks for evaluating isolation architectures.
- π Security and Privacy in Agentic AI: Grand Challenges and Future Directions β Jenkins et al., 2026. Horizon-scanning report from thirty international experts across academia, industry, and government identifying the grand challenges and future research directions for the security and privacy of increasingly agentic AI.
- π Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection β Greshake et al., AISec 2023. Foundational work on indirect prompt injection through tool outputs.
- π Inject My PDF: Prompt Injection for Your Resume β Practical injection through document processing tools.
- π InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated LLM Agents β Zhan et al., ACL 2024. 1,054 test cases, 17 tools, two attack types (direct harm, data stealing).
- π Automatic and Universal Prompt Injection Attacks against Large Language Models β Liu et al., 2024. Automated generation of injection attacks.
- π WIPI: A New Web Threat for LLM-Driven AI Agents β Liu et al., 2024. Web-based indirect prompt injection targeting browsing agents.
- π GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines β Isbarov et al., 2026. Evaluates prompt injection in live GitHub workflows by provisioning ephemeral repositories and triggering real workflow runs, documenting eleven attacks across four AI providers that compromise credential handling and repository permissions.
- π Prompt Injection as Role Confusion β Ye, Cui & Hadfield-Menell, ICML 2026. Shows prompt injection succeeds because LLMs infer privilege from unreliable stylistic cues rather than structural role tags; "destyling" untrusted text to look less like internal formats drops attack success from 61% to 10%, framing injection defense as perpetual whack-a-mole absent genuine role perception.
- π On the Inseparability of Instructions and Data in Shared-Embedding Sequence Models β Pant et al., 2026. Proves perfect prompt-injection prevention is mathematically impossible in shared-embedding architectures lacking enforced control-data separation, formalizing tool authorization, refusal, and memory writes as control-authoritative actions and arguing injection requires architectural instruction/data channel separation rather than better in-pipeline classification or alignment.
- π ShareLock: A Stealthy Multi-Tool Threshold Poisoning Attack Against MCP β Liu et al., 2026. Distributes a malicious MCP instruction across multiple tool descriptions using Shamir's secret sharing, so each fragment individually passes inspection and the harmful instruction is reconstructed only once enough shares are aggregated during agent interaction β evading per-tool poisoning scanners.
- π PhantomSkill: Malicious Code Injection in Agent Skill Ecosystems β Lin & Yu, 2026. Attack framework whose VulMask technique disguises malicious code as ordinary insecure implementations inside skill auxiliary resources, activating harmful behavior only under attacker-controlled conditions to evade skill-scanning defenses.
- π Dynamic Malicious Skills in Agentic AI β Chen et al., 2026. Shows that malicious instructions embedded in skill documentation (e.g., SKILL.md) can induce an agent to dynamically inject harmful logic into an otherwise benign skill at execution time, demonstrated across OpenHands and Claude Code.
- π Seeing Is Not Screening: Multimodal Hidden Instruction Attacks on Agent Skill Scanners β Jia et al., 2026. SkillCamo hides harmful operational instructions inside images bundled with a skill, bypassing scanners that rely only on text descriptions, manifests, and source code while remaining recoverable by multimodal agents at deployment.
- π "Do Not Mention This to the User": Detecting and Understanding Malicious Agent Skills in the Wild β Liu et al., USENIX Security 2026. Large-scale analysis of 98,380 skills across two major registries identifies 157 confirmed-malicious skills (632 vulnerabilities, 13 attack techniques), characterizing two archetypes β credential-exfiltrating data thieves and decision-subverting agent hijackers β and showing that shadow features absent from public documentation mark all advanced attacks.
- π Harmless Yet Harmful: Neutral Prompting Attacks for Stealthy Hallucination Steering in Agent Skills β Hsu et al., 2026. Introduces neutral prompting attacks that covertly increase package hallucinations in coding agents, creating downstream software supply chain risk while evading existing skill-focused defenses.
- π Invisible Threats from Model Context Protocol: Generating Stealthy Injection Payload via Tree-based Adaptive Search β Shen et al., 2026. Tree-structured Injection for Payloads (TIP): black-box attack generating natural-language payloads to seize control of MCP-enabled agents; achieves >95% attack success in undefended settings and >50% against four defense approaches with an order of magnitude fewer queries than prior adaptive attacks.
- π Model Context Protocol Threat Modeling and Analyzing Vulnerabilities to Prompt Injection with Tool Poisoning β Huang et al., 2026. STRIDE/DREAD threat modeling of MCP across five components; systematic comparison of tool poisoning defenses in seven major MCP clients reveals insufficient static validation; proposes multi-layered defense strategy.
- π Are AI-assisted Development Tools Immune to Prompt Injection? β Huang et al., 2026. First empirical analysis of prompt injection via tool-poisoning across seven MCP clients (Claude Desktop, Claude Code, Cursor, Cline, Continue, Gemini CLI, Langflow); reveals significant security disparities with Cursor most susceptible.
- π Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks β Schmotz et al., 2026. Benchmark measuring agent vulnerability to malicious skill/config files; demonstrates data exfiltration, destructive actions, and ransomware-like behavior via AGENTS.md/CLAUDE.md injection.
- π ToolSword: Unveiling Safety Issues of LLMs in Tool Learning Across Three Stages β Ye et al., ACL 2024. Identifies safety issues across tool selection, tool calling, and result handling.
- π Compromising Agents via MCP β Invariant Labs, 2025. Tool poisoning attacks via Model Context Protocol servers.
- π Osmosis Distillation: Model Hijacking with the Fewest Samples β Shi et al., 2026. Supply-chain attack via poisoned synthetic training data.
- π Personality Self-Replicators β 2026. Agent personality files as self-replicating genetic material.
- π Poisoned Playbooks: Demystifying Knowledge Poisoning Effects on AI Security Agents β Park et al., 2026. Studies how malicious write-ups injected into security knowledge sources compromise RAG-based, action-taking security agents, introducing a "Verification Boundary" framework that classifies how agents evaluate retrieved claims and showing verification prompting and multi-source retrieval falter under sparse-evidence and zero-day conditions.
- π Skills Are Not Islands: Measuring Dependency and Risk in Agent Skill Supply Chains β Jia et al., 2026. Treats agent skills as dependency-bearing artifacts and empirically maps the skill supply chain, surfacing security-relevant signals hidden in inter-skill dependencies and governance gaps that let malicious or vulnerable skills propagate risk transitively.
- π KidnapRAG: A Black-Box Attack for Hijacking Reasoning in Agentic Retrieval-Augmented Generation Systems β Choi et al., 2026. Sequential document-poisoning attack that plants strategically crafted retrievable documents to progressively redirect an agentic RAG system's multi-step reasoning chain, requiring no system access.
- π Unicode TAG-Block Concealment of Tool-Metadata Payloads in the Model Context Protocol β Rashidi, 2026. Shows invisible Unicode TAG-block characters can smuggle malicious payloads into MCP tool descriptions that reach the model while staying hidden from human reviewers during approval, measuring the resulting approval-view fidelity gap across three independent server implementations.
- π Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting β Spira et al., 2026. Adversarial hallucination squatting preemptively registers the resource names (popular repositories, skills) that LLMs predictably hallucinate, so agents pull attacker-hosted prompts at scale β reaching up to 100% hallucination rates in skill installation and enabling remote code execution and botnet establishment under weak, channel-free threat models.
- π MCP Security Notification: Tool Poisoning Attacks β Official MCP security advisory on tool description poisoning.
- π Invariant Labs: MCP Security Research β Analysis of cross-tool contamination, rug pulls, and tool shadowing via MCP.
- π Watch Out for Your Agents! Investigating Backdoor Threats to LLM-Based Agents β Yang et al., NeurIPS 2024. Backdoor attacks on agent reasoning and tool calling.
- π Pandora's White-Box: Precise Training Data Detection and Extraction in Large Language Models β Relevant to agents leaking training data through tool outputs.
- π R-Judge: Benchmarking Safety Risk Awareness for LLM Agents β Yuan et al., ACL 2024. 162 records across 27 risk scenarios for evaluating agent safety awareness.
- π TrustAgent: Towards Safe and Trustworthy LLM-based Agents β Zhang et al., 2024. Agent-constitution-based approach to limiting excessive agency.
- π FragFuse: Bypassing Access Control of Large Language Model Agents via Memory-Based Query Fragmentation and Fusion β Rao et al., 2026. Splits prohibited content across interactions, stores it in long-term agent memory in benign-appearing form, then reconstructs it via retrieval β evading access-control checks without the disallowed request ever appearing explicitly in the user query.
- π Post-Training Local LLM Agents for Linux Privilege Escalation with Verifiable Rewards β Normann et al., 2026. Two-stage post-training pipeline (SFT + RL with verifiable rewards) producing a 4B model that achieves 95.8% success on privilege escalation, nearly matching Claude Opus 4.6 at 100Γ lower inference cost.
- π When Lower Privileges Suffice: Investigating Over-Privileged Tool Selection in LLM Agents β Yang et al., 2026. Shows LLM agents routinely choose tools carrying more privilege than a task requires, and proposes a privilege-aware post-training method that steers agents toward sufficient lower-privilege alternatives to shrink the excessive-agency attack surface.
- π (A)I Sees What You Don't: Exploiting New Attack Surfaces in Third-Party Mobile Agents β Zhang et al., 2026. Identifies two attack surfaces in VLM-based mobile agents β a perception gap between human and machine vision, and interception of the agent's execution pipeline β letting malicious apps hijack agent actions and achieve arbitrary command execution without any granted permissions.
- π AgentSCOPE: Evaluating Contextual Privacy Across Agentic Workflows β Ngong et al., 2026. 80%+ of agentic pipelines leak private data at intermediate stages.
- π Silent Egress: LLM-Driven Data Exfiltration via Steganographic Channels β Demonstrates covert channels for data theft through agent outputs.
- π Privacy Risks of General-Purpose AI Systems: A Foundation for Investigating Practitioner Perspectives β GPAIS privacy risks including agent data handling.
- π IMMACULATE: A Framework for Analyzing Information Exposure in Agent-Based Systems β Multi-turn agent information leakage analysis.
- π AgentRaft: Automated Detection of Data Over-Exposure in LLM Agents β Lin et al., 2026. Automated detection framework for identifying data over-exposure vulnerabilities in LLM agent integrations.
- π You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents β Kao et al., 2026. Identifies the Trusted Executor Dilemma where high-privilege agents execute adversarial README instructions at up to 85% success rate; 0% human detection rate across 15 participants.
- π An Evaluation of Data Leakage Risks in Tool-Using LLM Agents in Realistic Scenarios β Baek et al., 2026. Joint SingaporeβKorea AI Safety Institute study showing tool-using agents leak sensitive information even under benign, non-adversarial user requests, extending leakage analysis beyond prompt-injection and jailbreak exfiltration.
- π Differential Privacy in Generative AI Agents: Analysis and Optimal Tradeoffs β Yang & Zhu, 2026. Probabilistic framework for analyzing privacy leakage in AI agents via differential privacy, deriving token-level and message-level bounds relating leakage to temperature and message length.
- π Capable but Careless: Do Computer-Use Agents Follow Contextual Integrity? β Goel & Gurevych, 2026. Evaluates whether computer-use agents respect contextual integrity when handling personal information across applications, finding most leak sensitive data through visual co-location of sensitive items, oversharing of personal state, and sending content to the wrong recipients.
- π ToolPrivacyBench: Benchmarking Purpose-Bound Privacy in Tool-Using LLM Agents β Hu et al., 2026. Audits whether task-private information is routed only to authorized tools and downstream sinks across an executed multi-tool trajectory using 2,150 cases with backend audit logs, formalizing a need-to-know disclosure boundary and showing that successful task completion does not imply appropriate privacy disclosure.
- π What Happens Locally, Leaks Globally: Detecting Privacy Leakage Risks in MCP Servers β Yan et al., 2026. Cross-language static analysis framework that detects protocol-induced credential and PII leakage in multilingual MCP servers, finding leakage in over 10% of analyzed servers.
- π Behavioral Privacy Leakage in Agentic Negotiation: Formalizing and Mitigating Inference Attacks via Randomized Policies β Rani, 2026. Formalizes behavioral privacy leakage in multi-round negotiation agents, where an adversary infers private reservation values from concession trajectories and timing, and proposes an (Ξ΅,Ξ΄)-differentially-private stochastic negotiation policy that cuts adversarial inference accuracy 43β50% while keeping success and utility above 90%.
- π PiSAs: Benchmarking Contextual Integrity in Multi-User Agentic Systems β Gupta et al., 2026. Benchmark for cross-user data spillage in shared agentic systems with dual contextual-integrity annotations (task-appropriateness and per-user access), measuring leakage through outputs, inter-agent messages, and shared memory β and finding even state-of-the-art models fail to reliably restrict transmission to authorized users.
- π CodeSentinel: A Three-Layer Defense Against Indirect Prompt Injection in Code Contexts β Cheng et al., 2026. Inference-time defense using Tree-sitter parsing and multi-layer analysis to detect and neutralize adversarial instructions hidden in code contexts before they reach the LLM.
- π Agent Data Injection Attacks are Realistic Threats to AI Agents β Choi et al., 2026. Introduces agent data injection (ADI) attacks β an underexplored indirect-prompt-injection class where malicious data disguised as trusted data drives unintended actions β demonstrated against real-world agents including Claude, Codex, and Gemini CLI.
- π DualView: Preventing Indirect Prompt Injection in Personal AI Agents β Kim et al., 2026. Extends untrusted-data tracking across a personal AI agent's entire environment to prevent indirect prompt injection, including the stored variant where the agent writes and later re-reads attacker-controlled data.
- π Prismata: Confining Cross-Site Prompt Injection in Web Agents β Villa et al., 2026. Enforces contextual least privilege for autonomous web agents β restricting what an agent can see and act upon based on the origin of the content β so third-party and user-generated web content cannot hijack the agent via cross-site prompt injection.
- π AttriGuard: Defeating Indirect Prompt Injection in LLM Agents via Causal Attribution of Tool Invocations β He et al., 2026. Defense against indirect prompt injection using causal attribution to trace which tool outputs triggered suspicious agent actions.
- π IPI-proxy: An Intercepting Proxy for Red-Teaming Web-Browsing AI Agents Against Indirect Prompt Injection β Chen et al., 2026. Open-source proxy that rewrites live responses from whitelisted domains with 820 benchmark payloads to evaluate browser agents against realistic indirect prompt injection.
- π How Much Can We Trust LLM Search Agents? Measuring Endorsement Vulnerability to Web Content Manipulation β Chen et al., 2026. SearchGEO framework with a five-mode attack taxonomy measures how attacker-published web pages get transformed into endorsed recommendations across 13 LLM search-agent backends over 308 cases each.
- π ChatInject: Abusing Chat Templates for Prompt Injection in LLM Agents β Chang et al., ICLR 2026. Formats injected payloads to mimic native chat templates (optionally primed by persuasive multi-turn dialogue) so agents elevate them to system-level trust; transfers across models and largely bypasses prompt-based defenses. Code.
- π Adaptive Attacks and Defenses Against Indirect Prompt Injection β Chen et al., 2024. Adaptive attackers bypassing static defenses.
- π HouYi: A Black-box Prompt Injection Attack on LLM-integrated Applications β Liu et al., 2023. Systematic methodology for finding injection vulnerabilities.
- π DMAST: Dual-Modality Multi-Stage Adversarial Safety Training β Liu et al., 2026. Cross-modal DOM injection corrupting both visual and text channels.
- π Whose Side Is Your Agent On? Multi-Party Principal Loyalty in LLM Agents β Li & Shi, 2026. Studies the principal-loyalty tension in multi-party agent interactions, where an agent must resist adversarial manipulation by counterparties without over-refusing its own principal's legitimate cooperative requests.
- π Hijacking Agent Memory: Stealthy Trojan Attacks Through Conversational Interaction β Yang et al., 2026. MemPoison shows how attackers can plant triggerable backdoors into long-term agent memory through ordinary dialogue, bypassing selective memory extraction and rewriting pipelines.
- π When Claws Remember but Do Not Tell: Stealthy Memory Injection in Persistent Personal Agents β Zhang et al., 2026. Shows untrusted external content delivered via a single email can be silently written into a persistent personal agent's long-term memory and later reused as trusted state, enabling long-term compromise without detection.
- π Your Agent's Memories Are Not Its Own: Forged Reasoning Attacks on LLM Agent Memory and Defenses β Karamchandani et al., 2026. Presents FARMA, an attack that corrupts an LLM agent's reasoning history through forged memory traces, alongside SENTINEL, a structural-analysis defense that detects such tampering.
- π Thought Virus: Viral Misalignment via Subliminal Prompting in Multi-Agent Systems β Weckbecker et al., 2026. Single subliminally prompted agent spreads persistent bias through entire multi-agent network, degrading truthfulness of other agents.
- π FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems β Li et al., 2026. Prompt-only attack that manipulates planner-executor workflow formation in multi-agent systems, plus FlowGuard as an input-side defense.
- π Intentional Deception as Controllable Capability in LLM Agents β Starace & Soule, 2026. Systematic study of engineered deception in multi-agent LLM interactions using 36 behavioral profiles for defensive design.
- π Can Trustless Agents Be Trusted? An Empirical Study of the ERC-8004 Decentralized AI Agent Ecosystem β Xiong et al., 2026. Empirical security study of a deployed decentralized agent ecosystem finding reputation can be manipulated at minimal cost, alongside placeholder registrations and widespread Sybil attacks that undermine the trust infrastructure meant to make autonomous agents trustless.
- π When Agents Remember Too Much: Memory Poisoning Attacks on Large Language Model Agents β Torres et al., 2026. GhostWriter poisons the long-term memory of tool-using personal agents via a hidden injected payload (β98% injection, β60% activation against state-of-the-art agents); the paper proposes Agentic Memory Sentry (AM-Sentry), pairing a memory-saving policy with a retrieval screen to sharply cut success while preserving utility.
- π Cascade: Composing Software-Hardware Attack Gadgets for Adversarial Threat Amplification in Compound AI Systems β Banerjee et al., 2026. Demonstrates novel attacks combining traditional software/hardware vulnerabilities (code injection, Rowhammer) with LLM-specific algorithmic weaknesses to compromise compound AI pipelines.
- π When LLM-based Code Generation Meets the Software Supply Chain β Supply chain risks from LLM-generated code integrating malicious packages.
- π Shadow API: Covert Data Exfiltration via LLM-Mediated API Interactions β 2026. Stealth data theft through seemingly benign API calls.
- π AgentSkillOS: Towards Secure and Composable Agent Skill Operating Systems β 2026. OS-level isolation for agent skill execution.
- π Benign in Isolation, Harmful in Composition: Security Risks in Agent Skill Ecosystems β Xie et al., 2026. Defines Skill Composition Risk (SCR), where an individually benign skill becomes harmful when its outputs, trust signals, authorization cues, or side effects influence later invocations in a shared execution context; introduces SCR-Bench to evaluate it.
- π MOSAIC: Knowledge-Guided CLI Command Composition Attack in LLM Coding Agents β Wu et al., 2026. Exploits CLI command-composition risk (CCR), showing individually harmless shell commands can be chained through shared system state into dangerous exploits in LLM coding agents, reaching a 96.59% attack success rate across real-world agents.
- π SlowBA: An efficiency backdoor attack towards VLM-based GUI agents β Li et al., 2026. Novel backdoor targeting response latency of GUI agents via trigger-activated long reasoning chains.
- π Claudini: Autoresearch Discovers State-of-the-Art Adversarial Attack Algorithms for LLMs β Panfilov et al., 2026. Autonomous autoresearch pipeline powered by Claude Code discovers novel white-box adversarial attack algorithms that significantly outperform all existing 30+ methods in jailbreaking and prompt injection evaluations.
- π From Shield to Target: Denial-of-Service Attacks on LLM-Based Agent Guardrails β Zhou et al., 2026. Uses a beam-search optimization framework to craft natural-language payloads that trap reasoning-based guardrails in extended reasoning loops, turning the very defense that blocks injection and jailbreaks into a denial-of-service vector.
- π Jailbreaking ChatGPT via Prompt Engineering β Liu et al., 2023. Foundational jailbreaking taxonomy. 700+ citations.
- π MasterKey: Automated Jailbreaking of Large Language Model Chatbots β Deng et al., NDSS 2024. Automated time-based jailbreak generation.
- π PentestGPT: An LLM-empowered Automatic Penetration Testing Tool β Deng et al., 2023. Demonstrates agent-level tool use for offensive security. 11K+ GitHub stars.
- π Self-Fulfilling Misalignment in AI Control β 2026. Fine-tuning on AI Control literature increases misalignment.
- π Reasoning Models Struggle to Control Their Chains of Thought β 2026. CoT controllability decreases with RL training, implications for agent oversight.
- π CRAFT: Contrastive Reasoning Alignment β Reinforcement Learning from Hidden Representations β Luo et al., 2026. Red-teaming alignment framework combining contrastive representation learning with RL to separate safe/unsafe reasoning trajectories; 79% improvement in reasoning safety and 87.7% in final-response safety over base models.
- π It Lied to a Doctor to Buy Poison Ingredients: Quantifying Real-World Misuse of Phone-use Agents β Sun et al., 2026. First real-device study across 27 commercial apps showing phone-use agents readily execute serious misuse (procuring drug/explosive precursors, fraud, harassment) at 68.8% task completion with low refusal, documenting a real-world case where an agent deceived an online doctor to obtain a toxic-substance precursor and tracing it to a Safety Awareness-Execution Gap.
- π Behind the Refusal: Determining Guardrail Activation via Behavioral Monitoring β 2026. First black-box guardrail reconnaissance methodology for LLM and agentic systems: using only HTTP, lexical, and timing signals with zero prior knowledge, it detects guardrail presence with 100% accuracy and distinguishes guardrail blocks from LLM refusals at 98% F1 β letting red-teamers pick bypass techniques matched to the actual defense in place, since guardrail bypass and alignment bypass require different approaches.
- π Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing β Alsheich et al., 2026. ANTAP routes tasks to agents based on empirically verified capability rather than self-declared textual descriptions, resisting description-based injection, embedding attacks, and covert-backdoor impersonation where malicious agents misrepresent their proficiencies.
- π PAuth: Precise Task-Scoped Authorization For Agents β Sharma et al., 2026. Implicit authorization model where NL task submission authorizes only required operations; uses NL slices and envelopes for provenance-based server-side verification, blocking injected operations in AgentDojo with zero false positives.
- π Securing Multi-Tool AI Agent Chains With Dynamic, Real-Time Compositional Policies β Schneider et al., 2026. Proposes the Dynamic Security Control Compositor (DSCC), which enforces compositional security policies over multi-tool agent chains by combining static analysis with runtime data-flow tracking.
- π TrustAgent: Towards Safe and Trustworthy LLM-based Agents β Agent Constitution for safety-aware planning with pre/post-action inspection.
- π Autoformalization of Agent Instructions into Policy-as-Code β Mondl et al., 2026. Uses an LLM generator-critic loop to automatically translate natural-language agent instructions and policy documents into formally enforceable Cedar policies, achieving broader coverage than hand-coded symbolic enforcement while avoiding the no-guarantees weakness of probabilistic guardrails on medical agent benchmarks.
- π Governing Actions, Not Agents: Institutional Attestation as a Governance Model for Autonomous AI Systems β Salfeld-Nebgen et al., 2026. Formalizes an institutional governance model where an autonomous agent keeps full planning autonomy but must present independently attested evidence at the point of consequential, irreversible action (e.g., clinical prescribing, production deployment) rather than having its reasoning monitored.
- π A Deterministic Control Plane for LLM Coding Agents β Madatha, 2026. Proposes Rel(AI)Build, treating coding-agent definitions as a managed supply chain with content addressing, permission enforcement, and audit logging, arguing governance of the agent-config layer must be deterministic and tool-agnostic rather than delegated to further LLM orchestration.
- π A Dual-Helix Governance Approach for Reliable Agentic AI β 3-track architecture (Knowledge, Behavior, Skills) using knowledge graphs.
- π Talk Freely, Execute Strictly: Schema-Gated Agentic AI β Schema-gated orchestration for trustworthy agent deployment in regulated domains.
- π ESAA-Security: Event-Sourced Architecture for Agent-Assisted Security Audits β 26 tasks, 95 checks, append-only event logs for reproducible AI code audits.
- π Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare β Maiti, 2026. Production-deployed zero-trust architecture for 9 autonomous AI agents: gVisor kernel isolation, credential proxy sidecars, network egress allowlisting, and prompt integrity framework with untrusted content labeling. Open-source configs released.
- π Sovereign Execution Brokers: Enforcing Certificate-Bound Authority in Agentic Control Planes β He & Yu, 2026. Runtime enforcement layer that intercepts autonomous agent requests and verifies them against cryptographically-issued certificates before allowing infrastructure mutations, ensuring production changes cannot originate from agent reasoning alone.
- π The Unfireable Safety Kernel: Execution-Time AI Alignment for AI Agents and Other Escapable AI Systems β Dobrin & Chmiel, 2026. Rust-based, formally verified safety kernel that enforces authorization on agent actions through process separation and cryptographic verification, designed to resist self-modification and escape attempts so an agent cannot circumvent its own safety controls at runtime.
- π A First Measurement Study on Authentication Security in Real-World Remote MCP Servers β Zhou et al., 2026. Large-scale measurement of 7,973 remote MCP servers finding widespread unauthenticated exposure and pervasive OAuth flaws, with 9 CVEs from responsible disclosure.
- π CmdNeedle: Measuring the Incompleteness of Command Denylists for AI Agents β Chen et al., 2026. Shows that the denylist component of terminal agents' three-list command-gating mechanism β including Claude Code's built-in list β is systematically incomplete against the large, ever-expanding set of shell commands shipped by modern operating systems.
- π SecureClaw: Clawing Back Control of LLM Agents β Ma et al., 2026. Dual-boundary security architecture placing authorization at the effect sink and plaintext confinement at the read boundary, using opaque handles and a PREVIEWβCOMMIT protocol to block unauthorized external actions and sensitive-data leakage in tool-using agents.
- π SessionBound: Turning Enterprise Task Approval into Budgeted Database Sessions β Wu, 2026. Confines enterprise agent-generated SQL to pre-approved business tasks via short-lived, budgeted, auditable database sessions β the agent may generate queries freely, but every attempt must stay inside the approved boundary β enforcing safety through database-layer access controls, query budgets, and disclosure limits rather than trusting the LLM to self-police.
- π Janus: A Playground for User-Involved Agentic Permission Management β Brigham et al., 2026. Playground system implementing six permission assistants across a design space of user involvement in agentic tool-call authorization; shows user input meaningfully strengthens privacy and security, AI augmentation of user decisions reduces cognitive load, and permission fatigue must be modeled since no single design is optimal across contexts. Code.
- π aiAuthZ: Off-Host, Identity-Bound Authorization for AI Agents β Kodathala, 2026. Off-host authorization gateway that binds tool calls to verified user authority via HMAC-SHA256 signatures and role-based policies, blocking deceived agents from executing actions beyond granted permissions rather than trusting the model's own refusals over unverifiable text context.
- π Steerability via Constraints: A Substrate for Scalable Oversight of Coding Agents β Winninger, ICML 2026 Deep Learning for Code Workshop. Argues the controls long used to manage large human engineering teams β access control, network policies, tooling-enforced coding conventions β transfer directly to unconstrained coding agents (whose autonomy introduces security risks) and are cheaper in tokens than agentic scaffolding; a controlled experiment shows a small reviewer's recall on 11 inserted backdoors rising from 54.5% to 90.9% when given a constrained substrate plus a ~200-LoC docs CLI.
- π Context-to-Execution Integrity for LLM Agents β Santos-Grueiro, 2026. CXI is an execution-boundary system that marks protected sink fields, carries narrow validated values from writable context via typed releases, keeps evidence in opaque data slots, and admits a tool call only when field authority, exact-effect authorization, and invocation authority all bind to the same action manifest β yielding zero field/effect/invocation escapes across 720 AgentDojo episodes and 400 code-agent episodes.
- π Reason Less, Verify More: Deterministic Gates Recover a Silent Policy-Violation Failure Mode in Tool-Using LLM Agents β Reddy et al., 2026. Identifies "silent wrong-state" failures where policy-permissive tools execute forbidden state transitions without any error, and shows lightweight deterministic read-only pre-execution gates raise ΟΒ²-bench airline success from 29.6% to 42.0% by blocking policy-violating writes at the action boundary.
- π ScopeJudge: Cost-Aware Pre-Execution Gating for Offensive Security Agents β Caldwell et al., 2026. Pre-execution gate in which a lightweight LLM judge inspects each offensive-security agent tool call against the engagement scope inferred from the user's request β treating the boundary as intent-declared rather than a fixed policy β to block out-of-scope actions before they execute.
- π Forensic Trajectory Signatures for Agent Memory Poisoning Detection β Leong, 2026. Finds that successful agent memory-poisoning attacks leave an invariant tool-call signature (a memory recall preceding a sensitive action such as email send), enabling incident responders to detect memory-channel attacks from tool-call logs alone at 99% accuracy without inspecting memory contents.
- π MESA: Prioritizing Vulnerable Communication Channels for Securing Multi-Agent Systems β Li et al., 2026. Framework that ranks the most security-critical inter-agent communication edges so defenders can deploy protection proactively, showing channel-level attack impact is highly non-uniform β a single compromised edge can account for up to 75% of total attack success.
- π AI Sandboxes: A Threat Model, Taxonomy, and Measurement Framework β Singh et al., 2026. Formal framework for evaluating AI testing environments via threat models, sandbox archetypes, and measurement criteria (fidelity, controllability, observability, containment, reproducibility) across digital, embodied, and cyber-physical deployments.
- π Cordon: Semantic Transactions for Tool-Using LLM Agents β Chen et al., 2026. Transactional runtime that wraps multi-step agent workflows in a task-scoped containment boundary for staging, validating, committing, and rolling back irreversible tool actions, rather than relying on isolated per-call guardrails.
- π VIGIL: Runtime Enforcement of Behavioral Specifications in AI Agent Skills β Li et al., 2026. End-to-end framework that monitors agent execution traces against behavioral policies declared in skill specifications and operator constraints, using a dedicated policy language and symbolic evaluation to catch violations across temporal dependencies, argument relationships, and value flows spanning multiple tool calls β over 95% recall with sub-10% false positives on real-world agent tasks.
- π AIRGuard: Guarding Agent Actions with Runtime Authority Control β Qin et al., 2026. Runtime defense layer that treats untrusted context as informative but never authorizing, normalizing tool calls and enforcing action-time authority checks to reduce tool-mediated attacks.
- π Operating-Layer Controls for Onchain Language-Model Agents Under Real Capital β Barton et al., 2026. Production study of 3,505 real-capital agents showing that agent reliability depends on operating-layer controls like prompt compilation, typed controls, policy validation, execution guards, and trace-level observability.
- π Governing What You Cannot Observe: Adaptive Runtime Governance for Autonomous AI Agents β Marin and Chaudhary, 2026. Proposes adaptive runtime governance based on bounding unobserved risk as agent behavior drifts after authorization.
- π AgentWard: A Lifecycle Security Architecture for Autonomous AI Agents β Zhang et al., 2026. Lifecycle security architecture for autonomous agents spanning skills, external content, memory, planning, and privileged tool execution.
- π Behavioral Integrity Verification for AI Agent Skills β Wu et al., 2026. Scalable pre-deployment skill auditing framework that compares declared versus actual capabilities, surfaces description-implementation gaps, and detects malicious skills with 0.946 F1.
- π ADR: An Agentic Detection System for Enterprise Agentic AI Security β Li et al., MLSys Industry Track 2026. Production MCP security system with telemetry, red teaming, and two-tier online detection deployed across 7,200+ hosts and 10,000+ daily agent sessions.
- π Content-Aware Attack Detection in LLM Agent Tool-Call Traffic: An Empirical Study of Features, Architectures, and Evaluation Protocols β Zavrak, 2026. Shows content-aware graph and embedding-based monitoring of MCP tool-call traffic substantially outperforms metadata-only detection and highlights evaluation leakage pitfalls.
- π Arbiter: Detecting Interference in LLM Agent System Prompts β Mason, 2026. Framework combining formal evaluation rules with multi-model LLM scouring to detect interference and vulnerability classes in agent system prompts.
- π MCPShield: A Security Cognition Layer for Adaptive Trust Calibration in MCP Agents β Zhou et al., 2026. Plug-in security cognition layer for MCP agents that validates third-party tool invocations via experience-driven trust calibration.
- π OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents β Li, 2026. Runtime security layer distributing enforcement across ten lifecycle hooks with hybrid heuristic-plus-LLM scanning, session-scoped risk accumulation, and tamper-evident audit for agent gateways.
- π Governing Evolving Memory in LLM Agents: Risks, Mechanisms, and the SSGM Framework β Lam et al., 2026. Stability and Safety-Governed Memory framework mitigating topology-induced knowledge leakage and semantic drift in persistent agent memory systems.
- π Securing LLM-Agent Long-Term Memory Against Poisoning: Non-Malleable, Origin-Bound Authority with Machine-Checked Guarantees β Louck, 2026. Proves content- and lineage-based memory-poisoning defenses are fundamentally insufficient against agent-specific laundering, and proposes TMA-NM, a non-malleable information-flow-control mechanism that achieves 0% attack success with full legitimate utility across eight frontier models versus up to 68% for prior defenses.
- π Detecting Malicious Agent Skills in the Wild using Attention β Etteib et al., 2026. Locate-and-Judge, a two-stage detector that flags malicious marketplace skills by analyzing instruction-following attention patterns, concentrating expensive LLM examination on high-attention instruction spans for cost-efficient marketplace-wide auditing while catching malicious skills existing scanners miss.
- π AgentSentry: Real-time Monitoring for Agentic AI Systems β Runtime behavioral monitoring of tool-using agents.
- π Monitoring Emergent Reward Hacking via Internal Activations β Sparse autoencoders detect reward-hacking during generation.
- π Self-Attribution Bias: When AI Monitors Go Easy on Themselves β AI monitors exhibit systematic leniency on own outputs.
- π Salient Directions in AI Control β Structure of AI Control evaluations: trusted monitors overseeing untrusted agents.
- π Governed Memory: A Production Architecture for Multi-Agent Workflows β Taheri, 2026. Shared memory governance layer with dual memory model, tiered governance routing, entity-scoped isolation (zero cross-entity leakage across 500 adversarial queries), and 100% adversarial governance compliance in production.
- π Agent-Native Immune System: Architecture, Taxonomy, and Engineering β Shen et al., 2026. Proposes ANIS, an endogenous biologically-inspired defense embedded directly in the agent's cognitive loop with a six-layer "Immune Tower" (including a non-cognitive isolation layer), a taxonomy of agent viruses and vaccines, and continual immune learning to counter runtime hijacking via memory poisoning, tool-chain manipulation, and multi-agent protocol attacks that survive training-time alignment.
- π Behavioral Attestation and Compaction Drift in Persistent AI Agents β Morrow (agent-morrow), 2026. Identifies compaction drift β non-adversarial behavioral shift caused by context window compression β as a runtime integrity threat class distinct from adversarial injection. Proposes behavioral attestation (context fingerprint delta against a pre-compression baseline) as the mechanism for continuous rather than one-time agent authorization. Complements credential-scope enforcement (e.g., AATs) with runtime execution verification.
- π The Decomposition Is the Fingerprint: Per-Component Identity for Agent Skills β Liu et al., 2026. Fingerprinting framework that assigns each agent-skill component a locality-sensitive-hash identity to detect tampering, unauthorized reuse, and drift across skill versions, complementing behavioral verification with structural provenance.
- π From Tool Connection to Execution Control: Benchmarking Security Invariants in MCP-Style Agent Runtimes β Liu, 2026. Defines and benchmarks eight security invariants for MCP-style execution runtimes; the proposed HCP runtime blocks all modeled attacks (tool poisoning, unauthorized execution, privilege drift) that a naive baseline permits.
- π AgenticOS: An Intent-Oriented Secure Operating System Architecture for Autonomous AI Agents β Zhao et al., 2026. OS-like security architecture that reframes agent protection as an intent filter, layering a Ghost Kernel, Logic Shutter, Agent Capsule, and Semantic Boundary Gateway to isolate and mediate autonomous agent actions.
- π Proof of Execution: Runtime Verification for Governed AI Agent Actions β Rhodes et al., 2026. Cryptographically-sound runtime verification framework that binds authorization, effectful actions, tamper-evident history, and deterministic replay into attestable execution objects, so each governed agent step's authority and integrity can be proven rather than assumed from output plausibility.
- π When Agents Go Rogue: Activation-Based Detection of Malicious Behaviors in Multi-Agent Systems β Xu et al., ICML 2026. AcMAS detects semantically stealthy attacks in multi-agent systems by analyzing local agents' activation-space reasoning states without relying on explicit interaction graphs, staying robust to asynchronous execution (+0.55 F1 over graph baselines asynchronously) and using the same signals to restore compromised agents rather than isolate them.
- π Token-Flow Firewall: Semantic Runtime Auditing for Persistent AI Agents β Wang et al., 2026. TokenWall audits the natural-language token flows of long-lived agents at runtime, intercepting unsafe behaviors before they reach privileged operations and achieving a 12.5% attack success rate while preserving 97.4% benign-operation compatibility.
- π TRACE: A Two-Channel Robust Attribution Watermark via Complementary Embeddings for LLM-Agent Trajectories β Gao et al., 2026. Embeds attribution watermarks directly into an agent's action-log trajectory across two complementary channels β one surviving content deletion, the other surviving rewrites β so a rebranding reseller who silently substitutes a cheaper model or tampers with logs can be detected, protecting agent provenance in production deployments.
- π IHDec: Divergence-Steered Contrastive Decoding for Securing Multi-Turn Instruction Hierarchies β Liu et al., 2026. Training-free decoding-time defense that uses Jensen-Shannon divergence to detect and suppress token-level violations where lower-priority inputs override higher-priority instructions, strengthening multi-turn agents against adversarial prompt injection.
- π AgentVisor: Defending LLM Agents Against Prompt Injection via Semantic Virtualization β Ying et al., 2026. Defends tool-using agents by semantically virtualizing untrusted external content to reduce prompt injection influence on privileged actions.
- π Analyzing Defensive Misdirection Against Model-Guided Automated Attacks on Agentic AI Systems β Soosahabi & Namsani, 2026. Proposes CMPE, a defense that replaces predictable refusals with misleading-but-safe outputs to degrade automated jailbreak attacks by denying attackers a reliable success signal.
- π Defending against Adaptive Prompt Injection Attacks via Reasoning-enabled Task Alignment β He et al., 2026. Argues pattern-matching IPI defenses collapse under adaptive attacks, and instead assesses whether each embedded instruction's intent is relevant to the user's task β restoring robustness against attackers who optimize against the deployed defense.
- π Think Twice Before You Act: Protecting LLM Agents Against Tool Description Poisoning via Isolated Planning β Shi et al., 2026. Tool-Guard defense that quarantines untrusted tool descriptions during a first isolated planning pass so poisoned tool metadata cannot steer agent actions, preserving task utility while cutting attack success on AgentDojo and Agent Security Bench.
- π StruQ: Defending Against Prompt Injection with Structured Queries β Separates prompts from data to prevent injection.
- π Towards Provably Unbiased LLM Judges via Bias-Bounded Evaluation β Formal guarantees for reducing bias in LLM-as-judge systems.
- π Judge Reliability Harness: Stress Testing LLM Judges β No evaluated judge is uniformly reliable.
- π GELO: Good-Enough LLM Obfuscation β Privacy-preserving LLM inference with ~20-30% latency overhead.
- π Untrusted Content Masking for Web Agents with Security Guarantees β NikoliΔ et al., 2026. UCM restores the trusted/untrusted boundary for web agents by using the DOM to redact untrusted page regions before they reach the agent and routing interaction through a sandboxed, privilege-separated interface β extending provable prompt-injection defenses from tool-use APIs to the rendered-page setting.
- π Mitigating Taint-Style Vulnerabilities in MCP Servers via Security-Aware Tool Descriptions β Shi et al., 2026. Finds taint-style flaws dominate MCP server vulnerabilities and are slow to patch, then proposes SPELLSMITH, which builds tool-level risk profiles and embeds behavioral guidance into the protocol's Description field plus an LLM self-reflection loop to mitigate exploitation without context-specific code fixes.
- π Multi-Agent Firewall Architecture for Privacy Protection of Sensitive Data in Interactions with Language Models β GarcΓa Cuesta et al., 2026. Intercepts userβLLM traffic over HTTP(S) and WebSocket via a browser extension and proxy, then runs a multi-agent detection pipeline combining deterministic detectors with LLM-driven semantic analysis to block sensitive-data and proprietary-code leakage before transmission (F1 up to 94.93%).
- π Efficient and Sound Probabilistic Verification for AI Agents β Solko-Breslin et al., 2026. Verification framework using distributionally robust optimization to compute sound upper bounds on the probability of agent policy violations under uncertainty, without independence assumptions between predicates.
- π Agentics 2.0: Logical Transduction Algebra for Agentic Data Workflows β Formalizes LLM inference as typed semantic transformations with algebraic composition.
- π Knowledge Divergence and the Value of Debate for Scalable Oversight β Formal framework for choosing oversight mechanisms.
- π AutoSpec: Safety Rule Evolution for LLM Agents via Inductive Logic Programming β Ma et al., 2026. Counterexample-guided inductive synthesis that evolves expert-designed agent safety rules via inductive logic programming, reaching F1 of 0.98/0.93 across two domains, cutting false positives up to 94%, and producing human-auditable rules that generalize to unseen scenarios.
- π Local LLM Agents as Vulnerable Runtimes: A Source-Code Audit of the Agent Runtime Layer β Zhang et al., 2026. CLAWAUDIT static-analysis framework that audits the agent runtime layer itself for security vulnerabilities, raising recall from 13.8β21.7% baselines to 66.8β75.1% across 217 held-out advisories.
- π AgentFlow: Building Agent Dependency Graphs for Static Analysis of Agent Programs β Wang et al., 2026. First static analysis framework to recover agent-specific dependencies (agent constructors, tool decorators, handoff declarations) into an Agent Dependency Graph, enabling Agent Bill of Materials generation and prompt-to-tool risk detection; uncovers 238 taint-style prompt-to-tool risks across 5,399 real-world agent programs.
- π MIRROR: Novelty-Constrained Memory-Guided MCTS Red-Teaming for Agentic RAG β Singh et al., 2026. Cross-surface red-teaming framework for multimodal agentic RAG that uses memory-guided Monte Carlo tree search to generate novel attacks spanning text poisoning, image injection, direct-query attacks, and orchestrator-level tool manipulation, avoiding the 73β84% template duplication of prior surface-specific approaches.
- π CONTRA: Red-Teaming Configurations of Personalizable Agents β NΓΆther et al., 2026. LLM-assisted tree-search red-teaming algorithm for discovering unsafe configurations of personalizable agents, finding that most popular skills can be manipulated into executing malicious actions.
- π Safety Testing LLM Agents at Scale: From Risk Discovery to Evidence-Grounded Verification β Feng et al., 2026. Introduces Vera, an automated safety-testing framework that discovers agent vulnerabilities via structured risk taxonomies and evidence-grounded verification, achieving 93.9% attack success across four production agent frameworks.
- π The Best-Laid SCHEMEs: Coordinated Sabotage and Monitoring in Multi-Agent Systems β Bernabeu-Perez et al., 2026. Benchmark for covert multi-agent sabotage showing coordinated hidden objectives are already practical in coding systems, while trusted monitors can still detect most attacks.
- π Real-Time Trust Verification for Safe Agentic Actions using TrustBench β Sharma et al., AAAI 2026 Workshop on TrustAgent. Dual-mode framework benchmarking trust across multiple dimensions and providing a pre-execution action verification toolkit for agents.
- π Agent Security Bench (ASB) β 10 scenarios, 10 agents, 398 environments. Comprehensive agent security benchmark.
- π SkillVetBench: LLM-as-Judge for Multi-Dimensional Security Risk Evaluation in Open-Source LLM Agent Skills β Hossain et al., 2026. Live public leaderboard and semantic vetting system that evaluates instruction-layer and multi-agent risks in community-contributed agent skills β directives that hijack an agent, exfiltrate data via encoded side channels, or chain harm across pipelines β which code-layer scanners are structurally blind to.
- π Adaptive Evaluation of Out-of-Band Defenses Against Prompt Injection in LLM Agents β Narisetty et al., 2026. Frames out-of-band defenses (CaMeL, FIDES, Progent) as classical integrity-protection mechanisms and stress-tests them with adaptive attacks, cautioning that β like earlier in-band defenses β their reported gains (e.g. Progent cutting attack success from 25.8% to 4.2%) have only been validated against static benchmarks.
- π AutoDojo: Adaptive Attacks Expose Superficial Defenses and User-Underspecification Limits in LLM Agents β Ma et al., 2026. Replaces static IPI benchmarks like AgentDojo with adaptive attack generation, revealing that prompt-based, detection-based, and system-level defenses are substantially weaker than static evaluations suggest.
- π SkillSafetyBench: Evaluating Agent Safety under Skill-Facing Attack Surfaces β Jin et al., 2026. Runnable benchmark with 155 adversarial skill-mediated cases across 47 tasks, 6 risk domains, and 30 safety categories.
- π No More, No Less: Task Alignment in Terminal Agents β Mavali et al., 2026. Introduces TAB, an 89-task benchmark for whether terminal agents selectively follow relevant environmental cues while resisting distractor instructions.
- π Proteus: A Self-Evolving Red Team for Agent Skill Ecosystems β Zhou et al., 2026. Grey-box adaptive red-teaming framework that iteratively rewrites skills using audit and runtime feedback to measure residual deployment risk.
- π AgentDyn: A Dynamic Open-Ended Benchmark for Prompt Injection Attacks β Li et al., 2026. Dynamic, open-ended benchmark for evaluating indirect prompt injection defenses in real-world agent security systems.
- π NAAMSE: Framework for Evolutionary Security Evaluation of Agents β Pai et al., ICLR 2026 Workshop. Evolutionary framework reframing agent security evaluation as feedback-driven optimization with autonomous red-teaming.
- π R-Judge: Benchmarking Safety Risk Awareness β 162 records, 27 risk scenarios for agent safety.
- π InjecAgent: Benchmarking Indirect Prompt Injections β 1,054 test cases for tool-integrated agents.
- π SIABENCH: Evaluating LLMs for Security Incident Analysis β 11 LLMs Γ 160 security incident scenarios.
- π EVMbench: Evaluating AI Agents on Smart Contract Security β 117 vulnerabilities, frontier agents exploit end-to-end.
- π Ο-Knowledge: Evaluating Conversational Agents over Unstructured Knowledge β Even frontier models achieve only ~25.5% on complex agent tasks.
- π Interactive Benchmarks β Evaluating via interactive proofs and games instead of static benchmarks.
- π VeriGrey: Greybox Agent Validation β Zhang et al., 2026. Greybox security testing using tool-invocation sequences as feedback and mutational prompt fuzzing; 33% more effective than black-box on AgentDojo, discovers prompt injection scenarios missed by black-box in Gemini CLI and OpenClaw.
- π LAAF: Logic-layer Automated Attack Framework for Agentic LLM Systems β Atta et al., 2026. First automated red-teaming framework combining 49-technique LPCI taxonomy with stage-sequential seed escalation; 84% mean aggregate breakthrough rate across five production LLM platforms.
- π VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers β Sun et al., 2026. End-to-end auditing framework that statically localizes vulnerable MCP tool handlers and dynamically evolves proof-of-concept prompts, uncovering 106 confirmed 0-days and 67 CVEs across open-source MCP servers.
- π SafeClawBench: Separating Semantic, Audit-Evidence, and Sandbox Harm in Tool-Using LLM Agents β Tian et al., 2026. Staged benchmark of 600 adversarial tasks distinguishing three agent failure modes β semantic acceptance, auditable harm evidence, and executable state changes β showing these endpoints capture different vulnerabilities across models and prompt policies.
- π Red-Teaming the Agentic Red-Team β Pasquini et al., 2026. First security assessment of widely-deployed offensive-security agents, documenting a complete attack chain in which an active adversary exfiltrates API keys, establishes persistent footholds, and compromises operator machines, and proposing architectural safeguards.
- π Securing the AI Agent: A Unified Framework for Multi-Layer Agent Red Teaming β Yang et al., 2026. AI-Infra-Guard organizes agent red-teaming across infrastructure, protocol/tool, behavior, and model layers with 75+ components and 1,400+ rules, matching detection paradigms to each attack surface.
- π Understanding and Evaluating Claw-like Agent Security Through a Computer-Systems Lens β Niu et al., 2026. SafeClawArena benchmark evaluates always-on agents across supply-chain integrity, state exploitation, data-flow, and indirect-injection attack surfaces, reaching 70% peak attack success and surfacing systemic weaknesses in persistent agents.
- π SecurityβFidelity Tradeoffs: The Hidden Cost of Prompt Injection Defense β Hermon et al., 2026. Introduces the SecFid benchmark showing no model jointly achieves strong security and task fidelity β the most secure configuration reaches 99.3% defense at only 71.0β73.9% fidelity β quantifying the utility cost of injection defenses.
- π When AUC 0.998 Is Not Enough: A Candidate Evaluation Protocol for Hidden-State Probes of Indirect Prompt Injection in Multimodal Computer-Use Agents β Li et al., 2026. Cautions that high probing AUC on multimodal computer-use agents does not by itself establish reliable malicious-injection detection, and proposes diagnostic controls for evaluating hidden-state IPI probes.
- π Distributed Attacks in Persistent-State AI Control β Hills et al., 2026. Introduces Iterative VibeCoding, an AI-control benchmark where a prompt-injected coding agent distributes a covert side task across successive pull requests in a persistent codebase; shows no single monitor resists both gradual and concentrated attacks (>=65% evasion generalizes across model backends), and proposes a stateful link-tracker monitor that cuts gradual-attack evasion from 93% to 47% in a four-monitor ensemble.
- π Beyond Attack-Success Rate: Action-Graded Severity Scale for Tool-Using AI Agents β Owiredu-Ashley, 2026. Replaces the binary attack-success metric with a seven-level (L0βL6) action-graded harm rubric scoring an agent's tool-call trajectory by reversibility, cross-scope reach, and privilege expansion, computed via a deterministic oracle and a three-judge panel (Krippendorff's Ξ±=0.91) that together expose cross-scope leaks a zero-attack-success-rate defense hides.
| Benchmark | Focus | Size | Paper |
|---|---|---|---|
| ASB | Comprehensive agent security | 10 agents, 398 envs | Zhang et al. |
| InjecAgent | Indirect prompt injection | 1,054 test cases | Zhan et al. |
| R-Judge | Safety risk awareness | 162 records, 27 scenarios | Yuan et al. |
| ToolSword | Tool learning safety | 6 scenarios, 3 stages | Ye et al. |
| AgentDyn | Dynamic prompt injection | Open-ended, extensible | Li et al. |
| SkillSafetyBench | Skill-mediated agent safety | 155 cases, 47 tasks | Jin et al. |
| SkillVetBench | Security risk eval of open-source agent skills | Live leaderboard | Hossain et al. |
| SCR-Bench | Skill composition risk | Multi-skill chains | Xie et al. |
| SafeClawBench | Staged harm in tool-using agents | 600 adversarial tasks | Tian et al. |
| ToolPrivacyBench | Purpose-bound privacy in tool-using agents | 2,150 cases | Hu et al. |
| TAB | Selective cue following in terminal agents | 89 terminal tasks | Mavali et al. |
| Skill-Inject | Skill file attacks | Multi-scenario | Schmotz et al. |
| NAAMSE | Evolutionary agent security eval | Adaptive red-teaming | Pai et al. |
| AgentHarm | Agent misuse | 110 behaviors, 440 variants | Andriushchenko et al. |
| SkillGuard Dataset | Malicious skill detection | 157 malicious skills | Liu et al. |
| WIPI | Web-based indirect injection | Multi-scenario | Liu et al. |
| Tool | Description | Link |
|---|---|---|
| Agent Memory Guard | OWASP reference implementation for ASI06 (Memory Poisoning): runtime defense that screens every agent memory read/write through detectors + a declarative policy, with source-class provenance, forensic SecurityEvents, and snapshot rollback. LangChain/OpenAI-Agents/AutoGen/CrewAI/mem0 integrations | |
| Bounty Sieve | Offline-by-default bounty intake guardrail for coding agents: read-only GitHub issue/URL-list import, deterministic triage, local decision briefs, and human approval gates | |
| SkillGuard | LLM-native agent skill security auditor (OWASP Agentic + MITRE ATLAS) | |
| Pipelock | Open-source AI agent firewall and MCP-aware egress proxy with DLP, prompt injection scanning, process sandboxing, and mediator-signed action receipts | |
| NemoClaw | NVIDIA reference stack for running always-on AI agents more safely in sandboxes, with network policy, hardening, routed inference, and lifecycle controls | |
| CubeSandbox | Hardware-isolated (per-kernel) sub-60ms sandbox for secure AI agent code execution, with an out-of-sandbox credential vault, eBPF network isolation, and domain-allowlisted egress controls with audit logging | |
| Invariant Guardrails | Policy-based agent security guardrails | |
| Armorer Guard | Local Rust scanner for AI-agent prompt injection, credential redaction, sensitive-data requests, exfiltration-style text, and dangerous tool-call context | |
| LLM Guard | Input/output scanning for LLM applications | |
| Rebuff | Self-hardening prompt injection detector | |
| NeMo Guardrails | NVIDIA's toolkit for adding guardrails to LLM-based applications | |
| Lakera Guard | Enterprise prompt injection defense API | Website |
| Promptfoo | LLM red teaming and evaluation framework | |
| Garak | LLM vulnerability scanner | |
| IPI-Proxy | Intercepting proxy for red-teaming web-browsing agents against indirect prompt injection on live whitelisted domains | |
| Tuning Engines CLI | MCP server and CLI for governed agent/skill/tool access with policy checks, approvals, traces, and role-scoped registries | |
| AgentSkillsScanner | Static analysis scanner for agent skill definitions | |
| SkillTotal | Static, offline scanner for AI components (MCP servers, agent skills, npm/PyPI packages, repos): supply-chain risk, dangerous capabilities, prompt-injection, exfiltration; deterministic, evidence-anchored, SARIF + pre-commit/GitHub Action | |
| SkilLock | Behavior-pinning lockfile + capability-delta PR review for Claude Code & Codex skills; SARIF output for Code Scanning | |
| agent-diff-guard | Pre-push guardrail that flags high-risk coding-agent diffs such as CI/CD changes, dependency edits, test deletions, hardcoded secrets, and task-scope drift before merge | |
| Skillid | Policy-driven Claude Code plugin that combines skill guidance with per-tool hooks to enforce org guardrails, confirmation rules, redaction, and connector-specific access control | |
| Agent Audit | Security analysis system for LLM agent apps: dataflow analysis, credential detection, MCP config parsing, privilege-risk checks | Zhang et al. |
| mcp-sec-audit | MCP server security toolkit: static pattern matching + dynamic sandboxed fuzzing via Docker/eBPF for detecting over-privileged tool capabilities | Huang et al. |
| Assay Harness | CI gate that checks an agent's claimed tool side-effects (filesystem, network, process) against independently observed runtime evidence, classifying each claim as supported, degraded, blocked, or not-evaluable (observed support is the ceiling) | |
| Agent Scan | Snyk's scanner for local agent supply chains, covering MCP servers and skills with checks for prompt injection, tool poisoning, toxic flows, and malware-laced skill files | |
| DScan | Open-source agent security suite for runtime tool-call tracing, prompt-injection shielding, MCP audits, adversarial testing, and sequence-level attack detection | |
| Sayfos SDK | Runtime guardrail SDK for AI agents with provenance checks, budget governance, plan preflight, and adjudication tokens before high-risk tool actions | |
| PIC Standard | Local-first standard and reference verifier that checks agent intent, provenance, and evidence at the action boundary and fails closed before high-impact tool calls; Python CLI, MCP/LangGraph/OpenClaw integrations, HTTP bridge, and a language-agnostic conformance suite | |
| agent-sentinel | eBPF/BPF-LSM prototype that monitors local agent behavior and atomically blocks prompt-injection-driven access to sensitive files at the kernel boundary | |
| mcp-sploit | Metasploit-style framework for authorized security testing of MCP servers and MCP security gateways, including enumeration and exploit modules for unsafe tool exposure | |
| Clawvisor | AI agent gateway for purpose-based authorization, credential vaulting, and audit logging β agents declare task scope, humans approve once, Clawvisor enforces on every request without the agent ever seeing credentials | |
| trentclaw | Security assessment skill for OpenClaw environments: scans gateway config, skill permissions, MCP trust boundaries, and plugins, and correlates them into chained attack paths with severity-ranked remediation steps | |
| Nobulex | Trust Capital scoring layer for AI agents: bilateral Ed25519 receipts (pre- and post-execution signatures), content-addressed via action_ref and hash-chained per RFC 8785, that accumulate into a published 300-850 reputation score gating agent autonomy. CTEF v0.3.2 14/14 conformance. Python + TypeScript SDKs. Receipt-signing approach merged into Microsoft AGT. |
| Specification | Org | Focus |
|---|---|---|
| AgentSkills.io | Open Standard | Agent skill definition and security requirements |
| Model Context Protocol (MCP) | Anthropic | Tool/resource integration protocol for LLMs |
| OpenAI Function Calling | OpenAI | Tool use specification for GPT models |
| Tool Use (Claude) | Anthropic | Claude's native tool use interface |
| LangChain Tools | LangChain | Tool abstraction for agent frameworks |
| AutoGPT Plugins | AutoGPT | Plugin system for autonomous agents |
| OpenAPI/Swagger | Linux Foundation | API specification commonly used as tool definitions |
- π Snowflake Cortex AI Escapes Sandbox and Executes Malware β PromptArmor, 2026. Prompt injection attack chain in Snowflake's Cortex Agent bypassed command allowlists via bash process substitution to achieve RCE; now patched.
- π Confused Deputy Attacks on Autonomous AI Agents β Cloud Security Alliance AI Safety Initiative, 2026. Research note on prompt injection chains enabling privilege escalation and autonomous compromise in AI agent systems.
- π How AI Assistants are Moving the Security Goalposts β Krebs on Security, 2026. AI agents as insider threats.
- π Hackers Used Metaβs AI Support Bot to Seize Instagram Accounts β Krebs on Security, 2026. Real-world incident where attackers socially engineered an AI account-recovery assistant into relinking target accounts, illustrating a new tool-mediated support-agent attack surface.
- π Anthropic: Challenges in Red Teaming AI Systems β Anthropic's perspective on evaluating agent safety.
- π OpenAI: Safety of Advanced AI Agents β Practices for governing agentic AI systems.
- π Compromising Agents via MCP β Invariant Labs deep-dive into MCP attack vectors.
- π Simon Willison: Prompt Injection Explained β Accessible introduction to prompt injection risks.
- π The sorry state of skill distribution β Trail of Bits, 2026. Demonstrates practical bypasses against ClawHub, Cisco skill-scanner, and skills.sh, showing how malicious skills can evade current marketplace scanners via truncation, archive indirection, poisoned bytecode, and prompt-injection framing.
- π TRAIL: Trusted Reasoning and AI Logging β Logging framework for auditable agent execution.
- π Cyber Threat Intelligence for AI Systems β AI-specific CTI framework with IoCs for supply-chain phases.
- π AI Safety Has 12 Months Left β Window to embed safety into infrastructure before market forces prevent it.
- π LiteLLM Hack: Were You One of the 47,000? β FutureSearch via Simon Willison, 2026. Analysis of PyPI supply-chain attack on LiteLLM: 47K downloads of exploited packages in 46 minutes, 88% of 2,337 dependent packages had unpinned versions.
- π Exploiting Agentic Browsers: From False Information to Cross-Site Data Leaks β Trail of Bits, 2026. Demonstrates lack of isolation in agentic browsers enabling attacks from false information dissemination to cross-site data leaks, resurfacing decades-old web vulnerability patterns.
- π OpenAI Help: Lockdown Mode β Simon Willison, 2026. Highlights OpenAI's new network-egress restriction mode for ChatGPT as a concrete mitigation for prompt-injection-driven data exfiltration in agentic workflows.
- π ClawHub by the Numbers: Metadata on All 52,652 Packages β Trent AI, 2026. Registry-wide metadata analysis of all 52,652 ClawHub packages finding only 22% meet a "clean" baseline; quantifies supply-chain risk across the OpenClaw skill ecosystem.
- awesome-llm-security β General LLM security resources.
- awesome-ai-safety β AI safety research and resources.
- awesome-chatgpt-prompts β Prompt engineering (includes adversarial examples).
- awesome-ml-for-cybersecurity β ML applied to cybersecurity.
- awesome-mcp-servers β MCP server ecosystem (attack surface reference).
- awesome-ai-agents β AI agent frameworks and projects.
Contributions are welcome! Please read the contribution guidelines before submitting a pull request.
- Fork the repository
- Add your resource in the appropriate category
- Use the format:
- π **[Title](URL)** β Authors, Venue Year. One-sentence description. - Submit a pull request
- Resources must be directly related to agent/tool/skill security
- Papers should be published or on arXiv
- Tools should be actively maintained (commits within last 6 months)
- Blog posts should provide substantial technical analysis
If you find this list useful in your research, please cite:
@misc{awesome-agent-skills-security,
author = {Liu, Yi},
title = {Awesome Agent Skills Security},
year = {2026},
publisher = {GitHub},
journal = {GitHub Repository},
howpublished = {\url{https://github.com/LLMSecurity/awesome-agent-skills-security}}
}This list is released under CC0 1.0 Universal.
