{"total":13,"items":[{"citing_arxiv_id":"2606.30602","ref_index":8,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"MESA: Prioritizing Vulnerable Communication Channels for Securing Multi-Agent Systems","primary_cat":"cs.CR","submitted_at":"2026-06-29T17:40:45+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"MESA ranks MAS communication edges by vulnerability via graph-theoretic metrics and dynamic probes, achieving mean Spearman ρ=+0.60 correlation with empirical per-edge attack success and 3x interception gain when monitoring the top 10%.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.07943","ref_index":46,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"POISE: Position-Aware Undetectable Skill Injection on LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-06-06T02:10:03+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"POISE is a stealthy skill-poisoning attack achieving 89.3% ASR on Skill-Inject by blending a compressed trigger into contextually appropriate positions in skill bodies, outperforming YAML and random-placement baselines while evading static scanners.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.00485","ref_index":16,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Confused ChatGPT: Cross-App Context Poisoning via First-Party APIs","primary_cat":"cs.CR","submitted_at":"2026-05-30T02:37:18+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Identifies cross-app context poisoning in ChatGPT Apps, a persistent indirect prompt injection delivered through undocumented first-party API parameters that lets one app manipulate others via the shared untagged context.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.28104","ref_index":1,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Defending LLM-based Multi-Agent Systems Against Cooperative Attacks with Sentence-Level Rectification","primary_cat":"cs.AI","submitted_at":"2026-05-27T07:56:33+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"STAR defense mitigates cooperative attacks in LLM-based multi-agent systems, improving task success rate by 36.76% on average while cooperative attacks cause a 5.34% relative drop compared to independent attacks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.03482","ref_index":7,"ref_count":2,"confidence":0.9,"is_internal_anchor":false,"paper_title":"MEMSAD: Gradient-Coupled Anomaly Detection for Memory Poisoning in Retrieval-Augmented Agents","primary_cat":"cs.CR","submitted_at":"2026-05-05T08:15:41+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"MEMSAD links anomaly detection gradients to retrieval objectives under encoder regularity to certify detection of continuous memory poisons, achieving perfect TPR/FPR in experiments while exposing a synonym-invariance gap.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.23338","ref_index":12,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"A Systematic Survey of Security Threats and Defenses in LLM-Based AI Agents: A Layered Attack Surface Framework","primary_cat":"cs.CR","submitted_at":"2026-04-25T14:57:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"A new 7x4 taxonomy organizes agentic AI security threats by architectural layer and persistence timescale, revealing under-explored upper layers and missing defenses after surveying 116 papers.","context_count":1,"top_context_role":"background","top_context_polarity":"support","context_text":"memory, influencing behavior in a completely unrelated session weeks later, with no detectable anomaly at either the injection or exploitation point. • A compromised sub-agent in an enterprise multi-agent pipeline can propagate malicious intent through peer-to-peer trust relationships, compromising the entire orchestration network from a single point of entry [12]. • A malicious MCP server, indistinguishable to the agent from a legitimate tool provider, can silently exfiltrate sensitive data via hidden instructions embedded in tool descriptions [13]. These threats have no direct analogues in classical LLM safety or traditional software security. The security community has responded by extending existing frameworks rather than"},{"citing_arxiv_id":"2604.12616","ref_index":11,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Every Picture Tells a Dangerous Story: Memory-Augmented Multi-Agent Jailbreak Attacks on VLMs","primary_cat":"cs.AI","submitted_at":"2026-04-14T11:44:59+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"MemJack achieves 71.48% attack success rate on unmodified COCO val2017 images against Qwen3-VL-Plus by coordinating agents to map visual entities to malicious intents, apply multi-angle camouflage, and filter refusals via iterative nullspace projection while transferring strategies through a shared ","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"lifelong policy library that discovers, stores, and reuses effective strategies across models, demonstrating that persistent memory is key to attack generalization. Broader agent-memory research such as Reflexion [40], Voyager [46] and HippoRAG [14] confirms the value of experiential reflection, policy consolidation, and struc- tured retrieval for long-horizon tasks, while AgentPoison [5] and Agent Smith [11] investigate security risks of agent memory it- self. However, all existing attack-memory systems operate in the text-only policy space; none incorporates visual-semantic cues, attack-goal mappings, or success/failure feedback for cross-image strategy transfer in multimodal jailbreaks. In addition to the methods mentioned above, recent research has"},{"citing_arxiv_id":"2604.09056","ref_index":14,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Conversations Risk Detection LLMs in Financial Agents via Multi-Stage Generative Rollout","primary_cat":"cs.CR","submitted_at":"2026-04-10T07:29:39+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":4.0,"formal_verification":"none","one_line_summary":"FinSec is a multi-stage detection system for financial LLM dialogues that reaches 90.13% F1 score, cuts attack success rate to 9.09%, and raises AUPRC to 0.9189.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.09574","ref_index":40,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Turing Test on Screen: A Benchmark for Mobile GUI Agent Humanization","primary_cat":"cs.AI","submitted_at":"2026-02-24T04:29:42+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The work creates a new benchmark for humanizing GUI agent touch dynamics via a MinMax detector-agent model, a mobile touch dataset, and methods showing agents can match human behavior without losing task performance.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2505.16120","ref_index":113,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"LLM-Powered AI Agent Systems and Their Applications in Industry","primary_cat":"cs.AI","submitted_at":"2025-05-22T01:52:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":2.0,"formal_verification":"none","one_line_summary":"A survey categorizing LLM-powered agent systems into software-based, physical, and hybrid types, covering industrial applications and challenges such as latency and security.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Security and privacy are significant challenges when deploy- ing LLM-powered agent systems due to their susceptibility to attacks and data leakage. One of the most critical issues is the jailbreak of AI agent systems, where adversaries manipulate the input prompts to bypass safety mechanisms, leading the agent to generate harmful or unethical content [113]-[115]. Such vulnerabilities can be exploited to spread misinformation, generate malicious code, or perform unauthorized actions. Additionally, LLM agents often process sensitive user data, posing risks of unintentional data leakage. Attackers can use prompt injection attacks to trick the model into reveal- ing proprietary or personal information [116]."},{"citing_arxiv_id":"2505.10924","ref_index":3,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"A Survey on the Safety and Security Threats of Computer-Using Agents: JARVIS or Ultron?","primary_cat":"cs.CL","submitted_at":"2025-05-16T06:56:42+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"A survey that defines Computer-Using Agents for safety analysis, categorizes their threats, proposes a taxonomy of defensive strategies, and summarizes benchmarks and datasets for evaluating CUA safety and performance.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2503.21460","ref_index":220,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Large Language Model Agent: A Survey on Methodology, Applications and Challenges","primary_cat":"cs.CL","submitted_at":"2025-03-27T12:50:17+00:00","verdict":"ACCEPT","verdict_confidence":"LOW","novelty_score":3.0,"formal_verification":"none","one_line_summary":"A survey that deconstructs LLM agent systems via a methodology-centered taxonomy linking design principles to emergent behaviors, applications, and challenges.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"between users and LLM agents, where it solicits information from users. Interaction among LLM agents. In multi-agent LLM systems, the interactions among agents are frequent and essential [12]. Attackers poison a single agent, which then infects other agents [219]. This recursive attack can ultimately deplete the computational resources. AgentSmith [220] concludes that the infectious spread occurs exponentially fast. The Contagious Recursive Blocking Attack (CORBA) [196] is designed to disrupt the communications among agents, 13 TABLE 4: Summary of data-centric attack and defense in LLM agents. Reference Description External Data Attacks and Security Li et al. [204] Attack:Malicious prefix injection"},{"citing_arxiv_id":"2410.07283","ref_index":58,"ref_count":1,"confidence":0.9,"is_internal_anchor":false,"paper_title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null}],"limit":50,"offset":0}