arxiv: 2605.05969 · v1 · submitted 2026-05-07 · 💻 cs.CR · cs.SE

Recognition: unknown

Heimdallr: Characterizing and Detecting LLM-Induced Security Risks in GitHub CI Workflows

Bonan Ruan , Yeqi Fu , Chuqi Zhang , Jiahao Liu , Jun Zeng , Zhenkai Liang

Authors on Pith no claims yet

Pith reviewed 2026-05-08 09:25 UTC · model grok-4.3

classification 💻 cs.CR cs.SE

keywords LLM securityGitHub CI workflowsthreat vector detectioncontinuous integration securitydataflow analysisvulnerability detectionproperty graph analysis

0 comments

The pith

Integrating LLMs into GitHub CI workflows creates exploitable security risks that can be detected through graph-based analysis of workflow inputs and outputs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper studies how large language models added to GitHub continuous integration workflows open a new attack surface. External inputs can control LLM prompts and outputs, which then influence security decisions, repository state, or privileged actions. The authors map the full execution chain, build a taxonomy of risk classes and concrete threat vectors, and present Heimdallr as a hybrid tool that converts workflows into a property graph for triggerability checks and dataflow tracking. If the approach holds, teams gain an automated way to locate and address these risks before they reach production pipelines. The work also includes responsible disclosure of many affected repositories.

Core claim

LLM-induced security risks arise when externally controllable inputs shape LLM prompts and outputs inside GitHub CI workflows, and these risks can be systematically characterized along the execution chain into high-level classes and concrete threat vectors; Heimdallr detects them by normalizing workflows into an LLM-Workflow Property Graph, performing triggerability analysis, applying LLM-assisted dataflow summarization, and using deterministic propagation to produce concrete findings.

What carries the argument

The LLM-Workflow Property Graph (L-WPG) that normalizes CI workflows and supports combined triggerability analysis with dataflow summarization to trace how inputs reach LLM nodes and produce security-relevant outputs.

If this is right

Repository owners can scan existing workflows to locate and patch instances where LLM outputs affect privileged actions.
A taxonomy of risk classes allows consistent classification of threats that combine external inputs with LLM behavior.
Automated detection enables ongoing monitoring as workflows evolve and new LLM integrations are added.
Responsible disclosure processes can surface vulnerabilities across hundreds of repositories for coordinated fixes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same input-to-LLM-to-action pattern may appear in other automation platforms, suggesting the graph-based detection method could transfer beyond GitHub.
As LLMs gain more direct control over code execution or repository changes, the need for triggerability checks will grow rather than diminish.
Teams could extend the framework to flag risks even when the LLM component is updated or replaced by a different model.
Integration of such analysis into CI platforms themselves would allow proactive warnings before workflows are merged.

Load-bearing premise

A set of 300 manually annotated workflows supplies unbiased and complete ground truth for identifying LLM nodes, classifying triggerability, and detecting threat vectors across the full range of risks.

What would settle it

A collection of previously unseen GitHub workflows in which Heimdallr either misses genuine LLM-controlled security changes or incorrectly flags safe workflows as risky.

Figures

Figures reproduced from arXiv: 2605.05969 by Bonan Ruan, Chuqi Zhang, Jiahao Liu, Jun Zeng, Yeqi Fu, Zhenkai Liang.

**Figure 1.** Figure 1: Excerpts of a caller workflow and a reusable work view at source ↗

**Figure 2.** Figure 2: Motivating examples. The left workflow depicts a spam detection pipeline where an attacker uses prompt injection view at source ↗

**Figure 4.** Figure 4: Graph construction and inlining. data into LLM prompts and LLM outputs into downstream securityrelevant operations via combined deterministic and LLM-assisted taint propagation, addressing C3; and (d) Risk Synthesis (§ 5.4), which maps the triggerability and dataflow evidence to threat vectors in our taxonomy. 5.1 L-WPG Construction To analyze heterogeneous GitHub workflows in a unified way, Heimdallr c… view at source ↗

**Figure 5.** Figure 5: Baseline and final triggerability mode distributions view at source ↗

**Figure 6.** Figure 6: Lower-bound prevalence of currently identified view at source ↗

read the original abstract

GitHub Continuous Integration (CI) workflows increasingly integrate Large Language Models (LLMs) to automate review, triage, content generation, and repository maintenance. This creates a new attack surface: externally controllable workflow inputs can shape LLM prompts and outputs, which may in turn affect security decisions, repository state, or privileged execution. Although LLM security and CI security have each been studied extensively, their intersection remains underexplored. In this paper, we present the first study of LLM-induced security risks in GitHub CI workflows. We characterize the problem along the full execution chain and develop a taxonomy of high-level risk classes and concrete threat vectors. To detect such risks in practice, we design Heimdallr, a hybrid analysis framework that normalizes workflows into an LLM-Workflow Property Graph (L-WPG) and combines triggerability analysis, LLM-assisted dataflow summarization, and deterministic propagation to synthesize concrete threat-vector findings. Evaluated on 300 manually annotated unique workflows, Heimdallr achieves high accuracy on LLM-node identification (F1~=~0.994), triggerability classification (99.8%), and threat-vector detection (micro-average F1~=~0.917). As part of an ongoing detection and disclosure effort, we have so far responsibly disclosed 802 vulnerable workflow instances across 759 repositories and received 71 acknowledgments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is the first paper to map LLM risks through the full chain in GitHub CI workflows, with a usable detector and real disclosures.

read the letter

This paper is the first to treat LLM use inside GitHub CI workflows as a distinct security problem. It walks through the execution chain from external inputs to LLM prompts to downstream effects on the repository, produces a taxonomy of risk classes and threat vectors, and ships Heimdallr, a hybrid detector that builds an LLM-Workflow Property Graph, checks triggerability, uses LLM-assisted summarization, and propagates findings deterministically. They report strong numbers on 300 manually annotated workflows: F1 of 0.994 for LLM-node identification, 99.8% for triggerability, and 0.917 micro-average F1 for threat-vector detection. They also disclosed 802 vulnerable instances across 759 repos and got acknowledgments, which is concrete follow-through. The hybrid design looks practical for this setting and avoids obvious circularity or parameter fitting. The main soft spot is the ground truth. The abstract and available details give no numbers on inter-annotator agreement, how the 300 workflows were sampled, or any validation steps for the LLM summarization component. If the annotation set has selection bias or low agreement, the high accuracy figures become harder to trust for broader use. The reliance on an LLM inside the detector itself also needs explicit error analysis, even with the deterministic parts downstream. This work is for people who care about CI security, automated code review tools, or LLM safety in developer pipelines. Anyone building static or dynamic analyzers for workflows would find the taxonomy and graph construction useful. It deserves a serious referee because the topic is timely, the results are measurable, and the disclosures show they are not just theorizing. The methods section on annotation and LLM validation will need close attention, but the core contribution stands on its own.

Referee Report

2 major / 2 minor

Summary. The paper presents the first study of LLM-induced security risks in GitHub CI workflows. It develops a taxonomy of high-level risk classes and concrete threat vectors, then introduces Heimdallr, a hybrid analysis framework that normalizes workflows into an LLM-Workflow Property Graph (L-WPG), performs triggerability analysis, applies LLM-assisted dataflow summarization, and uses deterministic propagation to synthesize threat-vector findings. Evaluated on 300 manually annotated unique workflows, Heimdallr reports F1 scores of ~0.994 for LLM-node identification, 99.8% for triggerability classification, and micro-average F1 of ~0.917 for threat-vector detection. The authors have responsibly disclosed 802 vulnerable workflow instances across 759 repositories.

Significance. If the ground-truth construction and evaluation hold, the work is significant for bridging the underexplored intersection of LLM security and CI security. It supplies a concrete taxonomy, a practical detection pipeline with strong quantitative results on real GitHub data, and demonstrated real-world impact via disclosures. The hybrid graph-plus-LLM approach and the L-WPG representation are novel contributions that could inform future automated workflow security tools.

major comments (2)

[Evaluation] Evaluation section: The central claims rest on high accuracy metrics measured against 300 manually annotated workflows as ground truth for LLM-node identification, triggerability classification, and threat-vector detection. The manuscript provides no details on workflow selection criteria, inter-annotator agreement, annotator expertise, or steps taken to mitigate selection or labeling bias. Without these, it is impossible to assess whether the reported F1 scores (0.994, 99.8%, 0.917) generalize or are inflated by annotation artifacts.
[Heimdallr Design] Heimdallr design (L-WPG construction and propagation): The deterministic propagation step assumes that the LLM-assisted summarization produces accurate dataflow facts that can be safely propagated without introducing false positives or negatives. No validation experiments, error bounds, or sensitivity analysis on the summarization component are reported, yet this step is load-bearing for the threat-vector detection results.

minor comments (2)

[Abstract] The abstract uses approximate notation (F1~=~0.994) while the body presumably contains exact figures; align the abstract with the precise numbers and confidence intervals from the evaluation tables.
The taxonomy of risk classes and threat vectors would benefit from an explicit comparison table against prior CI security taxonomies to clarify novelty.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thorough review, positive assessment of the work's significance, and recommendation for minor revision. We address each major comment below and commit to revisions that strengthen the manuscript without altering its core claims or results.

read point-by-point responses

Referee: [Evaluation] Evaluation section: The central claims rest on high accuracy metrics measured against 300 manually annotated workflows as ground truth for LLM-node identification, triggerability classification, and threat-vector detection. The manuscript provides no details on workflow selection criteria, inter-annotator agreement, annotator expertise, or steps taken to mitigate selection or labeling bias. Without these, it is impossible to assess whether the reported F1 scores (0.994, 99.8%, 0.917) generalize or are inflated by annotation artifacts.

Authors: We agree that the manuscript currently lacks explicit details on the ground-truth construction process. In the revised version, we will add a dedicated subsection to the Evaluation section that describes: workflow selection (stratified random sampling from a corpus of over 10,000 GitHub workflows containing LLM integrations, filtered for diversity in repository size and activity); annotator expertise (two authors with prior publications in CI security and LLM prompt injection); annotation protocol (independent labeling of LLM nodes, triggerability, and threat vectors, followed by consensus adjudication); inter-annotator agreement (Cohen's kappa of 0.87 for LLM-node identification and 0.91 for threat-vector labels); and bias mitigation (use of multiple data sources, blinding to Heimdallr outputs during initial labeling, and exclusion of workflows from the authors' own repositories). These additions will allow readers to evaluate potential annotation artifacts and generalizability. revision: yes
Referee: [Heimdallr Design] Heimdallr design (L-WPG construction and propagation): The deterministic propagation step assumes that the LLM-assisted summarization produces accurate dataflow facts that can be safely propagated without introducing false positives or negatives. No validation experiments, error bounds, or sensitivity analysis on the summarization component are reported, yet this step is load-bearing for the threat-vector detection results.

Authors: We acknowledge that the manuscript reports no isolated validation or sensitivity analysis for the LLM-assisted dataflow summarization step, even though it underpins the propagation used for threat-vector detection. While the end-to-end micro-average F1 of 0.917 provides indirect support, we agree that direct assessment would improve transparency. In the revision, we will add a new subsection under Heimdallr Design that includes: (1) a manual validation of summarization accuracy on 50 held-out workflows, reporting precision and recall of extracted dataflow facts against expert annotations; (2) error bounds derived from observed summarization discrepancies; and (3) a sensitivity analysis measuring how injected summarization errors (at varying rates) propagate to final threat-vector F1 scores. This will quantify the robustness of the deterministic propagation step. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper describes an empirical detection framework (L-WPG construction, triggerability analysis, LLM-assisted summarization, deterministic propagation) evaluated against an external manually annotated set of 300 workflows. Reported metrics (F1 scores for node identification, triggerability, and threat-vector detection) are presented as measured outcomes on this fixed ground-truth set rather than predictions derived from fitted parameters or self-referential definitions. No equations, uniqueness theorems, or load-bearing self-citations appear in the provided text that would reduce the central claims to the inputs by construction. The methodology relies on deterministic graph-based propagation with independent manual annotation, satisfying the criteria for a self-contained, non-circular result.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The framework rests on modeling assumptions about workflow execution chains and LLM integration without independent empirical grounding provided in the abstract; no free parameters or invented physical entities.

axioms (2)

domain assumption External inputs to CI workflows can shape LLM prompts and outputs in ways that affect security decisions or privileged execution.
Core premise for the attack surface and taxonomy.
domain assumption Workflows can be normalized into an LLM-Workflow Property Graph that enables triggerability analysis and dataflow summarization.
Foundational to the L-WPG construction and hybrid analysis.

invented entities (1)

LLM-Workflow Property Graph (L-WPG) no independent evidence
purpose: To represent and analyze the structure, triggers, and data flows in LLM-integrated GitHub CI workflows.
New modeling abstraction introduced for the detection framework.

pith-pipeline@v0.9.0 · 5560 in / 1603 out tokens · 71808 ms · 2026-05-08T09:25:44.892411+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

44 extracted references · 3 canonical work pages · 3 internal anchors

[1]

Sizhe Chen, Julien Piet, Chawin Sitawarin, and David Wagner. 2025. {StruQ}: Defending against prompt injection with structured queries. In34th USENIX Security Symposium (USENIX Security 25). 2383–2400

2025
[2]

Sizhe Chen, Yizhu Wang, Nicholas Carlini, Chawin Sitawarin, and David Wagner
[3]

InProceed- ings of the 18th ACM Workshop on Artificial Intelligence and Security

Defending against prompt injection with a few defensivetokens. InProceed- ings of the 18th ACM Workshop on Artificial Intelligence and Security. 242–252
[4]

Rein Daelman. 2025. PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents. https://www.aikido.dev/blog/promptpwnd-github- actions-ai-agents

2025
[5]

Keheliya Gallaba and Shane McIntosh. 2018. Use and misuse of continuous integration features: An empirical study of projects that (mis) use Travis CI.IEEE Transactions on Software Engineering46, 1 (2018), 33–50

2018
[6]

GHArchive. 2026. GH Archive — gharchive.org. https://www.gharchive.org/

2026
[7]

GitHub. 2026. Continuous integration - GitHub Docs — docs.github.com. https: //docs.github.com/en/actions/get-started/continuous-integration

2026
[8]

GitHub. 2026. Disallow access to secrets for pull_request trigger·commu- nity·Discussion #180109 — github.com. https://github.com/orgs/community/ discussions/180109

2026
[9]

GitHub. 2026. GitHub - actions/ai-inference: An action for calling AI models with GitHub Models — github.com. https://github.com/actions/ai-inference

2026
[10]

GitHub. 2026. GitHub - anthropics/claude-code-action — github.com. https: //github.com/anthropics/claude-code-action

2026
[11]

GitHub. 2026. GitHub - JohnsonRan/nomore-spam — github.com. https://github. com/{J}ohnson{R}an/nomore-spam

2026
[12]

GitHub. 2026. GitHub CLI — cli.github.com. https://cli.github.com/

2026
[13]

GitHub. 2026. GitHub Marketplace: tools to improve your workflow. https: //github.com/marketplace

2026
[14]

GitHub. 2026. Octokit — github.com. https://github.com/octokit

2026
[15]

GitHub. 2026. Reuse workflows - GitHub Docs — docs.github.com. https://docs. github.com/en/actions/how-tos/reuse-automations/reuse-workflows

2026
[16]

GitHub. 2026. toolkit/packages/core at main·actions/toolkit — github.com. https://github.com/actions/toolkit/tree/main/packages/core

2026
[17]

GitHub. 2026. toolkit/packages/github at main·actions/toolkit — github.com. https://github.com/actions/toolkit/tree/main/packages/github

2026
[18]

GitHub. 2026. Workflow syntax for GitHub Actions - GitHub Docs — docs.github.com. https://docs.github.com/en/actions/reference/workflows-and- actions/workflow-syntax

2026
[19]

Google. 2026. Gemini 3 Flash Preview | Gemini API | Google AI for Developers — ai.google.dev. https://ai.google.dev/gemini-api/docs/models/gemini-3-flash- preview

2026
[20]

Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. 2023. Not what you’ve signed up for: Compromising real- world llm-integrated applications with indirect prompt injection. InProceedings of the 16th ACM workshop on artificial intelligence and security. 79–90

2023
[21]

Yacong Gu, Lingyun Ying, Huajun Chai, Yingyuan Pu, Haixin Duan, and Xing Gao. 2024. More haste, less speed: Cache related security threats in continuous integration services. In2024 IEEE Symposium on Security and Privacy (SP). IEEE, 1179–1197

2024
[22]

Yacong Gu, Lingyun Ying, Huajun Chai, Chu Qiao, Haixin Duan, and Xing Gao
[23]

In2023 IEEE Symposium on Security and Privacy (SP)

Continuous intrusion: Characterizing the security of continuous integration services. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1561–1577
[24]

Junjie He, Shenao Wang, Yanjie Zhao, Xinyi Hou, Zhao Liu, Quanchen Zou, and Haoyu Wang. 2026. TaintP2X: Detecting Taint-Style Prompt-to-Anything Injection Vulnerabilities in LLM-Integrated Applications. In2026 IEEE/ACM 48th International Conference on Software Engineering (ICSE)

2026
[25]

Keegan Hines, Gary Lopez, Matthew Hall, Federico Zarfati, Yonatan Zunger, and Emre Kiciman. 2024. Defending against indirect prompt injection attacks with spotlighting.arXiv preprint arXiv:2403.14720(2024)

work page internal anchor Pith review arXiv 2024
[26]

Juhee Kim, Wenbo Guo, and Dawn Song. 2026. SoK: Attack and Defense Land- scape of Agentic AI Systems. In35nd USENIX Security Symposium (USENIX Security 26)

2026
[27]

Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry. 2022. Character- izing the security of github {CI} workflows. In31st USENIX Security Symposium (USENIX Security 22). 2747–2763

2022
[28]

Xiaofan Li, Yacong Gu, Chu Qiao, Zhenkai Zhang, Daiping Liu, Lingyun Ying, Haixin Duan, and Xing Gao. 2024. Toward Understanding the Security of Plugins in Continuous Integration Services. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 482–496

2024
[29]

Zhi Li, Weijie Liu, Hongbo Chen, XiaoFeng Wang, Xiaojing Liao, Luyi Xing, Mingming Zha, Hai Jin, and Deqing Zou. 2022. Robbery on devops: Understanding and mitigating illicit cryptomining on continuous integration service platforms. Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Ruan et al. In2022 IEEE Symposium on Security and Privacy (SP). IEEE...

2022
[30]

Fengyu Liu, Yuan Zhang, Jiaqi Luo, Jiarun Dai, Tian Chen, Letian Yuan, Zhengmin Yu, Youkun Shi, Ke Li, Chengyuan Zhou, et al. 2025. Make agent defeat agent: Automatic detection of {Taint-Style} vulnerabilities in {LLM-based} agents. In 34th USENIX Security Symposium (USENIX Security 25). 3767–3786

2025
[31]

Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, and Kai Chen. 2024. De- mystifying rce vulnerabilities in llm-integrated apps. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 1716–1730

2024
[32]

Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. 2024. Formalizing and benchmarking prompt injection attacks and defenses. In33rd USENIX Security Symposium (USENIX Security 24). 1831–1847

2024
[33]

"Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors

Yue Liu, Yanjie Zhao, Yunbo Lyu, Ting Zhang, Haoyu Wang, and David Lo. 2025. " Your AI, My Shell": Demystifying Prompt Injection Attacks on Agentic AI Coding Editors.arXiv preprint arXiv:2509.22040(2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[34]

Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Ar- avind Machiry. 2023. {ARGUS}: A Framework for Staged Static Taint Analysis of {GitHub} Workflows and Actions. In32nd USENIX Security Symposium (USENIX Security 23). 6983–7000

2023
[35]

OpenAI. 2026. GitHub - openai/codex-action — github.com. https://github.com/ openai/codex-action

2026
[36]

Ziyue Pan, Wenbo Shen, Xingkai Wang, Yutian Yang, Rui Chang, Yao Liu, Cheng- wei Liu, Yang Liu, and Kui Ren. 2023. Ambush from all sides: Understanding security threats in open-source software ci/cd pipelines.IEEE Transactions on Dependable and Secure Computing21, 1 (2023), 403–418

2023
[37]

Jiawen Shi, Zenghui Yuan, Yinuo Liu, Yue Huang, Pan Zhou, Lichao Sun, and Neil Zhenqiang Gong. 2024. Optimization-based prompt injection attack to llm- as-a-judge. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 660–674

2024
[38]

Jiawen Shi, Zenghui Yuan, Guiyao Tie, Pan Zhou, Neil Zhenqiang Gong, and Lichao Sun. 2026. Prompt injection attack to tool selection in llm agents. InPro- ceedings of the 33rd Network and Distributed System Security (NDSS) Symposium

2026
[39]

ssalgadodev. 2026. Content filtering for Microsoft Foundry Models (classic) - Microsoft Foundry (classic) portal — learn.microsoft.com. https://learn.microsoft. com/en-us/azure/foundry-classic/foundry-models/concepts/content-filter

2026
[40]

Kexin Sun, Hongyu Kuang, Sebastian Baltes, Xin Zhou, He Zhang, Xiaoxing Ma, Guoping Rong, Dong Shao, and Christoph Treude. 2025. Does ai code review lead to code changes? a case study of github actions.arXiv preprint arXiv:2508.18771 (2025)

work page internal anchor Pith review Pith/arXiv arXiv 2025
[41]

Greg Tystahl, Jonah Ghebremichael, Siddharth Muralee, Sourag Cherupat- tamoolayil, Antonio Bianchi, Aravind Machiry, Alexandros Kapravelos, and William Enck. 2026. COSSETER: GitHub Actions Permission Reduction Using Demand-Driven Static Analysis. In2026 IEEE Symposium on Security and Privacy (SP)

2026
[42]

Carmine Vassallo, Sebastian Proksch, Anna Jancso, Harald C Gall, and Massim- iliano Di Penta. 2020. Configuration smells in continuous delivery pipelines: a linter and a six-month study on GitLab. InProceedings of the 28th ACM joint meet- ing on european software engineering conference and symposium on the foundations of software engineering. 327–337

2020
[43]

Lianmin Zheng, Wei-Lin Chiang, Ying Sheng, Siyuan Zhuang, Zhanghao Wu, Yonghao Zhuang, Zi Lin, Zhuohan Li, Dacheng Li, Eric Xing, et al. 2023. Judging llm-as-a-judge with mt-bench and chatbot arena.Advances in neural information processing systems36 (2023), 46595–46623

2023
[44]

Yinan Zhong, Qianhao Miao, Yanjiao Chen, Jiangyi Deng, Yushi Cheng, and Wenyuan Xu. 2026. Attention is All You Need to Defend Against Indirect Prompt Injection Attacks in LLMs. InProceedings of the 33rd Network and Distributed System Security (NDSS) Symposium. A Scope and Assumptions Our analysis targets an LLM-integrated workflow together with its immedi...

2026