{"total":26,"items":[{"citing_arxiv_id":"2606.31272","ref_index":48,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"The Decomposition Is the Fingerprint: Per-Component Identity for Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-06-30T07:45:33+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"A per-component SimHash fingerprint supplies structural identity for AI agent skills, recovering family membership under paraphrase and refactoring with AUC 0.974 while localizing changes.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.11671","ref_index":9,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Runtime Skill Audit: Targeted Runtime Probing for Agent Skill Security","primary_cat":"cs.CR","submitted_at":"2026-06-10T05:29:34+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Runtime Skill Audit introduces targeted runtime probing to detect malicious LLM agent skills, reporting 90% accuracy and resilience to self-evolving attacks on 100 skills versus static baselines.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.10749","ref_index":150,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Toward Secure LLM Agents: Threat Surfaces, Attacks, Defenses, and Evaluation","primary_cat":"cs.CR","submitted_at":"2026-06-09T12:01:07+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":3.0,"formal_verification":"none","one_line_summary":"A synthesis of 247 papers on LLM agent security identifies prompt injection and tool hijacking as dominant threats, notes weakly compositional defenses, and argues for trust boundaries and realistic evaluations.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Yotam Kaplan, Vered Shwartz, Tamar Rott Shaham, Christoph Riedl, Reuth Mirsky, Maarten Sap, David Manheim, Tomer Ullman, and David Bau. 2026. Agents of Chaos. arXiv:2602.20021 [cs.AI] doi:10.48550/arXiv.2602.20021 [149] Gauri Sharma, Vidhi Kulkarni, Miles King, and Ken Huang. 2025. Towards Unifying Quantitative Security Bench- marking for Multi Agent Systems. arXiv:2507.21146 [cs.CR] doi:10.48550/arXiv.2507.21146 [150] Chongyang Shi, Sharon Lin, Shuang Song, Jamie Hayes, Ilia Shumailov, Itay Yona, Juliette Pluto, Aneesh Pappu, Christopher A. Choquette-Choo, Milad Nasr, Chawin Sitawarin, Gena Gibson, Andreas Terzis, and John Flynn. 2025. Lessons from Defending Gemini Against Indirect Prompt Injections. arXiv:2505.14534 [cs.CR] doi:10.48550/arXiv. 2505.14534 [151] Guanquan Shi, Haohua Du, Zhiqiang Wang, Xiaoyu Liang, Weiwenpei Liu, Song Bian, and Zhenyu Guan."},{"citing_arxiv_id":"2606.02302","ref_index":11,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"SeClaw: Spec-Driven Security Task Synthesis for Evaluating Autonomous Agents","primary_cat":"cs.CR","submitted_at":"2026-06-01T14:23:42+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"SeClaw provides spec-driven synthesis of security tasks and an execution-based docker testbed for evaluating unsafe behaviors in autonomous LLM agents.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.31042","ref_index":23,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors","primary_cat":"cs.CR","submitted_at":"2026-05-29T09:19:07+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Introduces ClawTrojan benchmark achieving 95.5% ASR for multi-step trojan attacks in agentic harnesses and DASGuard defense that sanitizes control content from untrusted sources.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2606.20631","ref_index":75,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Harnessing Agent Skills: Architectural Patterns and a Reference Architecture for Skill-Mediated LLM Agents","primary_cat":"cs.AI","submitted_at":"2026-05-29T02:12:24+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Catalogs ten patterns and synthesizes a four-layer reference architecture for skill harnessing in LLM agents, evaluated via cross-instantiation on eight systems.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.28914","ref_index":16,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"AIRGuard: Guarding Agent Actions with Runtime Authority Control","primary_cat":"cs.CR","submitted_at":"2026-05-27T17:48:14+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"AIRGuard is a runtime authority-control layer for tool-using agents that reduces attack success on AgentTrap from 36.3% to 5.5% while retaining higher benign utility than ARGUS or MELON on DTAP-150.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.22321","ref_index":9,"ref_count":1,"confidence":0.98,"is_internal_anchor":true,"paper_title":"Benchmarking Autonomous Agents against Temporal, Spatial, and Semantic Evasions","primary_cat":"cs.CR","submitted_at":"2026-05-21T11:07:51+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"A3S-Bench evaluates LLM agents against temporal, spatial, and semantic evasions, raising average risk trigger rates from 28.3% to 52.6% across 2,254 trajectories and 20 scenarios.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.13044","ref_index":16,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"No Attack Required: Semantic Fuzzing for Specification Violations in Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-05-13T05:57:06+00:00","verdict":"UNVERDICTED","verdict_confidence":"MODERATE","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Sefz discovers specification violations in 29.9% of 402 real-world agent skills by translating guardrails into reachability goals and guiding LLM mutations with a multi-armed bandit.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.12875","ref_index":16,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Do Skill Descriptions Tell the Truth? Detecting Undisclosed Security Behaviors in Code-Backed LLM Skills","primary_cat":"cs.CR","submitted_at":"2026-05-13T01:44:10+00:00","verdict":"CONDITIONAL","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"SKILLSCOPE detects undisclosed security behaviors in LLM skill implementations via security property graphs and taxonomy-based consistency checking, identifying confirmed inconsistencies in 9.4% of 4,556 evaluated skills with 84.8% precision and 96.5% recall against human review.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.12233","ref_index":14,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"No More, No Less: Task Alignment in Terminal Agents","primary_cat":"cs.LG","submitted_at":"2026-05-12T15:06:15+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"The TAB benchmark reveals that frontier terminal agents achieve high task completion but low selective alignment with relevant environmental cues over distractors, and prompt-injection defenses block both.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.12015","ref_index":32,"ref_count":2,"confidence":0.98,"is_internal_anchor":true,"paper_title":"SkillSafetyBench: Evaluating Agent Safety under Skill-Facing Attack Surfaces","primary_cat":"cs.CR","submitted_at":"2026-05-12T12:03:54+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"SkillSafetyBench is a benchmark of 155 cases across 47 tasks and 6 risk domains showing that non-user attacks via skills, artifacts, or environments can consistently induce unsafe agent behavior.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.11770","ref_index":27,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Behavioral Integrity Verification for AI Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-05-12T08:41:09+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"BIV audits AI agent skills at scale, finding 80% deviate from declared behavior on 49,943 skills and achieving 0.946 F1 for malicious skill detection.","context_count":1,"top_context_role":"dataset","top_context_polarity":"use_dataset","context_text":"The verdict path here is auditable end-to-end without requiring the override predicateVto fire: Φ(s)exposes the credential-exfiltration kill chain through structural taint analysis, and the LLM judge independently catches the instruction-override directives in the markdown. Benchmarks and baselines.The 906 skills mix three sources: MaliciousAgentSkillsBench [44] (44 real-world malware+410 benign); Skill-Inject [27] (160 attacks+42 clean controls); and SkillJect [45] (200 attacks+50 clean controls). Real-world samples carry ecological validity; the synthetic sources cover adversarial diversity at higher count. We compare BIV against two baselines representing rule-based and LLM-based state of the art. Therule-basedbaseline is the behavioral-analysis component of the Cisco AI Defense skill scanner [46]."},{"citing_arxiv_id":"2605.11418","ref_index":11,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Under the Hood of SKILL.md: Semantic Supply-chain Attacks on AI Agent Skill Registry","primary_cat":"cs.AI","submitted_at":"2026-05-12T02:11:54+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Semantic manipulations of SKILL.md descriptions enable effective supply-chain attacks that bias AI agent skill registries toward adversarial skills in discovery, selection, and governance.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"of audited ClawHub and skills.sh skills, while another empirical study finds vulnerabilities in 26.1% of analyzed skills [ 9, 10]. These findings suggest thatAgent Skillsare not merely convenience modules, but a new semantic supply-chain surface. Prior studies show that malicious skill files can induce unsafe downstream agent behavior after loading [11], examine persistent compromises such as backdoored skills and poisoned models [12, 13], and propose detectors for malicious skill submissions [14, 15]. However, existing work primarily focuses arXiv:2605.11418v1 [cs.AI] 12 May 2026 - - - name: travel-manager description: \"Comprehensive travel planning, booking, and management skill. Use when needing"},{"citing_arxiv_id":"2605.11047","ref_index":11,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw","primary_cat":"cs.CR","submitted_at":"2026-05-11T13:20:02+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"DeepTrap automates discovery of contextual vulnerabilities in OpenClaw agents via trajectory optimization, showing that unsafe behavior can be induced while preserving task completion and that final-response checks are insufficient.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.09594","ref_index":18,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-05-10T15:13:38+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"Malicious Skills induce coding agents to hallucinate and import attacker-controlled packages at high rates while evading detection.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"shape the model's dependency selection behavior in advance. The attacker does not need to modify model weights, poison training data, compromise the package registry, or control the user's prompt. Instead, the attack operates through a Skill that the coding agent treats as trusted development guidance. Skills significantly expand the attack surface of agentic coding systems [16], [17], [18], [19], [20]. We use the termSkillbroadly to refer to persistent instruction artifacts, including Claude Skills [16], Cursor Rules [21], Windsurf Rules [22], AutoGen system prompts [23], LangChain instruc- tion templates [24], and project-specific markdown instruction files. These artifacts commonly encode coding conventions, preferred frameworks, architectural assumptions, workflow"},{"citing_arxiv_id":"2605.08460","ref_index":15,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"When Child Inherits: Modeling and Exploiting Subagent Spawn in Multi-Agent Networks","primary_cat":"cs.CR","submitted_at":"2026-05-08T20:27:23+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"Multi-agent LLM frameworks can spread compromises across agent boundaries via insecure memory inheritance during subagent spawning.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"demonstrates an exciting future of how multi-agent systems can further accomplish those complicated tasks. Nevertheless, this network itself is also not invincible. When multiple agents coordinate, delegate tasks, and exchange intermediate outputs, vulnerabilities are no longer isolated to one model or tool chain; instead, they may propagate across agents and amplify through interaction [15]. Traditional network security is built on a clear opera- tional model: trained practitioners define and enforce policies through mechanisms such as PKI trust hierarchies, access control lists, and firewalls. Over time, many of these controls have been integrated into operating systems as managed sub- systems, allowing non-expert users to obtain baseline protec-"},{"citing_arxiv_id":"2605.05868","ref_index":49,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"SkillScope: Toward Fine-Grained Least-Privilege Enforcement for Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-05-07T08:34:14+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"SkillScope detects over-privileged LLM agent skills with 94.53% F1 score via graph analysis and replay validation, finding 7,039 problematic skills in the wild and reducing violations by 88.56% while preserving task completion.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"[47] David Schmotz, Sahar Abdelnabi, and Maksym Andriushchenko. 2025. Agent Skills Enable a New Class of Realistic and Trivially Simple Prompt Injections. arXiv preprint arXiv:2510.26328(2025). [48] David Schmotz, Luca Beurer-Kellner, Sahar Abdelnabi, and Maksym An- driushchenko. 2026. Skill-inject: Measuring agent vulnerability to skill file attacks. arXiv preprint arXiv:2602.20156(2026). [49] Tianneng Shi, Jingxuan He, Zhun Wang, Hongwei Li, Linyu Wu, Wenbo Guo, and Dawn Song. 2025. Progent: Programmable privilege control for llm agents. arXiv preprint arXiv:2504.11703(2025). [50] SkillsMP. 2026. Agent Skills Marketplace. https://skillsmp.com/. Accessed: 2026-04-19. [51] Xuchen Suo. 2024. Signed-prompt: A new approach to prevent prompt injec-"},{"citing_arxiv_id":"2605.05274","ref_index":33,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Sealing the Audit-Runtime Gap for LLM Skills","primary_cat":"cs.CR","submitted_at":"2026-05-06T14:23:22+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"SIGIL cryptographically seals the audit-runtime gap for LLM skills via an on-chain registry with four publication types, DAO vetting, and a runtime verification loader that enforces integrity and permissions.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2605.03378","ref_index":140,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-05-05T05:37:00+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ARGUS defends LLM agents from context-aware prompt injections by tracking information provenance and verifying decisions against trustworthy evidence, reducing attack success to 3.8% while retaining 87.5% task utility.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.25109","ref_index":19,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Structured Security Auditing and Robustness Enhancement for Untrusted Agent Skills","primary_cat":"cs.CR","submitted_at":"2026-04-28T01:32:27+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":5.0,"formal_verification":"none","one_line_summary":"SkillGuard-Robust formulates pre-load auditing of untrusted Agent Skills as a three-way classification task and achieves 97.30% exact match and 98.33% malicious-risk recall on held-out benchmarks.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.22888","ref_index":12,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"RouteGuard: Internal-Signal Detection of Skill Poisoning in LLM Agents","primary_cat":"cs.CR","submitted_at":"2026-04-24T09:07:05+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"RouteGuard uses response-conditioned attention and hidden-state alignment to detect skill poisoning in LLM agents, achieving 0.8834 F1 on Skill-Inject benchmarks and recovering 90.51% of attacks missed by lexical screening.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.11790","ref_index":35,"ref_count":2,"confidence":0.9,"is_internal_anchor":true,"paper_title":"ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection","primary_cat":"cs.CR","submitted_at":"2026-04-13T17:55:11+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":6.0,"formal_verification":"none","one_line_summary":"ClawGuard enforces deterministic, user-derived access constraints at tool boundaries to block indirect prompt injection without changing the underlying LLM.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"tration, unauthorized execution, and unauthorized communica- tion.MCPSafeBench[44] covers215real-world MCP server attack scenarios across four task domains: repository manage- ment, financial analysis, web search, and location navigation. Implementation.We evaluate CLAWGUARDon five state-of-the-art LLMs: DeepSeek-V3.2 [16], GLM-5 [41], Kimi-K2.5 [23], MiniMax-M2.5 [20], and Qwen3.5-397B- A17B [35]. All experiments use the default OpenClaw configuration with a five-minute timeout per task. The current evaluation employs the basic-rule configuration of CLAWGUARD, in which the active rule set consists solely of the baseline rule setR base without the task-specific rule induction component; full results incorporating context- aware rule induction will be reported in a future version."},{"citing_arxiv_id":"2604.09443","ref_index":23,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Many-Tier Instruction Hierarchy in LLM Agents","primary_cat":"cs.CL","submitted_at":"2026-04-10T16:00:04+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":7.0,"formal_verification":"none","one_line_summary":"ManyIH and ManyIH-Bench address instruction conflicts in LLM agents with up to 12 privilege levels across 853 tasks, revealing frontier models achieve only ~40% accuracy.","context_count":0,"top_context_role":null,"top_context_polarity":null,"context_text":null},{"citing_arxiv_id":"2604.03081","ref_index":37,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems","primary_cat":"cs.CR","submitted_at":"2026-04-03T14:58:58+00:00","verdict":"UNVERDICTED","verdict_confidence":"LOW","novelty_score":8.0,"formal_verification":"none","one_line_summary":"DDIPE poisons LLM agent skills by embedding malicious logic in documentation examples, achieving 11.6-33.5% bypass rates across frameworks while explicit attacks are blocked, with 2.5% evading detection.","context_count":1,"top_context_role":"background","top_context_polarity":"background","context_text":"Recent disclosures [12, 28] further document attackers planting poisoned skill files in repositories and public registries (e.g., CVE-2025-59536), bypassing user authoriza- tion to achieve remote code execution and API-key exfiltration. Despite these emerging threats, little work addresses this new attack surface. For instance, ToolTweak [39] and Skill-Inject [37] show that attackers can hijack tool-selection decisions via poi- soned skill files, but confine the threat to tool-selection bias or text-generation pollution akin to RAG poisoning [54]. To the best of our knowledge, no prior work examines how supply-chain vec- tors can covertly hijack an agent'saction space. Specifically, the system-level primitives (file writes, shell commands, network re-"},{"citing_arxiv_id":"2604.02837","ref_index":14,"ref_count":1,"confidence":0.9,"is_internal_anchor":true,"paper_title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","primary_cat":"cs.CR","submitted_at":"2026-04-03T07:56:42+00:00","verdict":"ACCEPT","verdict_confidence":"MODERATE","novelty_score":8.0,"formal_verification":"none","one_line_summary":"Agent Skills has structural security weaknesses from missing data-instruction boundaries, single-approval persistent trust, and absent marketplace reviews that require fundamental redesign.","context_count":1,"top_context_role":"background","top_context_polarity":"support","context_text":"window at Level 3, it is interpreted alongside the Skill's operator-level instructions, with no structural mechanism to distinguish data from directives. Schmotz demonstrated a concrete instance of this attack in the Agent Skills context, showing that content retrieved by a legitimate Skill can redirect the agent to perform actions outside the Skill's declared scope [14]. Greshake et al. introduced this threat class for LLM-integrated applications more broadly [25], and the Red Hat security team explicitly identified it as an unresolved risk in Skill deployments [26]. The architecture of Agent Skills amplifies the severity of indirect injection relative to prior settings: because retrieved content enters an operator-level context rather than a user-level one, injected instructions carry"}],"limit":50,"offset":0}