REVIEW 2 major objections 6 minor 59 references
Untrusted tickets and logs can drive network LLM agents into unsafe tool calls; only a metadata-aware execution gate stopped all attacks without blocking approved changes.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-14 11:19 UTC pith:NO4I76EF
load-bearing objection Solid domain benchmark: execution-time metadata gates beat prompt hygiene and static blocks on network-ops injection, under an explicit integrity assumption the authors own. the 2 major comments →
NetInjectBench: Benchmarking Indirect Prompt Injection in Tool-Using Large Language Model Agents for Network Operations
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Across 240 weak- and strong-attack instances on three local models, naive tool execution reached an 82.50% unsafe tool-action rate. Prompt-only safety, Self-Reminder, Spotlighting, and a Two-Pass LLM Judge reduced that rate to 25.63%, 21.67%, 18.33%, and 10.00%, while static allowlisting reached 5.00% but overblocked all approved high-impact changes. Under the stated metadata-integrity assumption, the metadata-aware policy gate produced 0/240 unsafe attack actions (95% Wilson upper bound 1.58%) with 99.17% attack-scenario usefulness and 100% approved-change usefulness.
What carries the argument
NetInjectBench’s scenario schema plus the metadata-aware policy gate: each scenario separates untrusted artifact text (visible to the model), trusted policy fields (approval status, maintenance window, approved tool/device/patch, change-request ID, used only by the gate), and evaluation-only labels. The gate treats the model’s tool call as a proposal and allows high-impact writes only when those trusted fields match; otherwise it falls back to safer diagnostics or escalation.
Load-bearing premise
Attackers can write or poison operational text, but they cannot change the trusted approval records, maintenance windows, or approved tool, device, and patch fields the gate actually checks.
What would settle it
Allow attack artifacts to also rewrite the trusted metadata the gate reads (or run multi-step cases where a safe read returns poisoned tool output that later authorizes a write); if the gate then executes unapproved high-impact actions, the zero-unsafe result under the paper’s threat model fails.
If this is right
- Network-ops agents should treat model tool proposals as non-authoritative until checked against change-management and maintenance-window records.
- Attack-only safety scores mislead: static blocks can look safe while making legitimate approved changes unusable.
- Policies must cover sensitive reads (for example topology queries), not only high-impact configuration writes.
- Prompt-level hygiene and LLM-only judges are defense-in-depth, not the final authorization boundary.
- Ops-domain agent benchmarks need approved high-impact counterexamples and an explicit trusted-metadata channel.
Where Pith is reading between the lines
- The same evidence-versus-authorization split likely applies to other ticket-driven settings such as IT service desks, cloud ops, and security operations tooling.
- Once multi-step agents are in scope, the gate may need to re-verify after every tool result, not only at the first selection.
- Large model-to-model gaps under prompt-only defenses imply that “a better system prompt is enough” will not transfer without per-model measurement.
- The natural next red-team target is the metadata channel itself—stale or compromised approval systems would invert the gate’s safety claim.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. NetInjectBench is a 130-scenario benchmark for indirect prompt injection against tool-using LLM agents in network operations. Scenarios separate untrusted artifact text, trusted authorization metadata, and evaluation-only labels across benign, weak-attack, strong-attack, and approved high-impact change sets. Three local 7–8B models are evaluated under seven execution settings. Naive execution yields 82.50% unsafe tool-action rate (UTAR) on 240 attack instances; prompt-level and LLM-only defenses reduce but do not eliminate unsafe actions; static allowlisting reaches 5% UTAR while blocking all approved changes; under an explicit metadata-integrity assumption, a deterministic metadata-aware policy gate reports 0/240 unsafe attack actions (95% Wilson upper bound 1.58%) with high usefulness on attacks and 100% usefulness on approved changes. The paper concludes that network-operation agents need execution-time authorization boundaries in addition to prompt hygiene.
Significance. If the results hold under the stated threat model, the paper makes a useful domain-specific contribution to agent security: it operationalizes the evidence-versus-authorization boundary for network change control, and it shows that attack-only safety metrics can mislead when approved high-impact actions are omitted. Strengths include an explicit schema separating prompt, policy, and evaluation fields; utility metrics that penalize overblocking (UAR/OBR); Wilson intervals and McNemar paired tests; risk/artifact/privilege breakdowns that expose sensitive-read failures left by write-only allowlists; and a deterministic metadata-stress suite (Table 11). The work is practically relevant to AIOps and change-managed infrastructure automation, and the planned public release of scenarios, runners, and scoring scripts would support reuse.
major comments (2)
- [§3.3, Table 5, §4.5, Table 16] §3.3 and Table 5 specify the policy gate primarily for high-impact apply_config_change (approval status, maintenance window, approved tool/device/patch, CR ID, ordered fallbacks). §4.5 and Table 16, however, attribute 0% UTAR on sensitive information exposure and control of unsafe query_topology to the same gate. The manuscript does not state the trusted attributes or decision rule used for sensitive-read authorization, nor how that rule avoids using evaluation-only labels. Because the static-allowlist contrast on sensitive reads is a load-bearing part of the “execution-time boundaries beat write-only blocking” claim, the sensitive-read policy must be specified at the same level of detail as the high-impact write checks (inputs, allow/deny conditions, fallbacks).
- [Table 10, Table 11, Table 13, §5.6] The approved-change usefulness claim (Table 10: 100% UAR for the policy gate; 0% UAR and 100% OBR for static allowlisting) rests on only 10 scenario templates (30 model-scenario instances). The Wilson interval for 100% usefulness is wide ([88.65%, 100.00%] in Table 13). The metadata-stress suite (Table 11) strengthens gate logic validation but is deterministic and not counted in LLM totals. For a central claim that metadata-aware gating preserves legitimate high-impact work while static blocking does not, the approved-change set should be enlarged and/or the paper should more clearly bound the strength of the usefulness generalization from N=10 templates.
minor comments (6)
- [§1] Section 1 ends with “Section??states the research objectives,” a broken cross-reference that should be fixed.
- [§3.5, Table 10] Self-Reminder, Spotlighting, and the Two-Pass LLM Judge are evaluated only on attack instances (§3.5). A short note or appendix on whether these methods degrade approved-change usefulness would make the method comparison more complete, even if not required for the main claim.
- [Figure 3, Figure 4] Figure 3 and Figure 4 are informative; ensure axis labels and method names remain legible in print and that the “T wo-Pass” spacing artifact in Figure 3 is corrected.
- [Table 14, §3.4] Normalization rates for naive/prompt methods are high (Table 14: NR up to 76.92%). Briefly state the normalization rules (argument aliases, device ID formats) so readers can judge whether repair could systematically affect tool choice labels.
- [§2.2] Related-work coverage is generally appropriate; a one-sentence comparison to concurrent agent firewall / tool-result parsing defenses already cited (e.g., Bhagwatkar et al., Yu et al.) on whether those systems encode change-control metadata would help position the policy gate.
- [§3.5, §5.6] Clarify temperature=0 and single-decode protocol earlier in §3.5 (it appears mainly in §5.6/§7) so readers do not assume stochastic multi-sample evaluation when reading the aggregate tables.
Circularity Check
No significant circularity: empirical benchmark comparison under an explicit threat model, not a derivation that reduces to its inputs.
full rationale
NetInjectBench is an empirical systems/security paper: it builds a 130-scenario benchmark, measures unsafe tool-action rates for naive and prompt/LLM defenses, and compares static allowlisting to a metadata-aware policy gate. The gate’s 0/240 attack UTAR is not a fitted or self-definitional “prediction”; it is deterministic enforcement under the paper’s stated metadata-integrity assumption (attacker can write artifact text, not trusted approval fields). The manuscript repeatedly frames that result as sample-level enforcement under that assumption (abstract; §3.1–3.2; Table 7; §5.5), not as a first-principles discovery. Independent empirical content remains: high naive UTAR (82.50%), residual failures under prompt-only/Self-Reminder/Spotlighting/Two-Pass Judge, static allowlist’s 100% approved-change overblocking, usefulness of gate fallbacks, model variation, and metadata-stress checks (Table 11). No self-citation chain, uniqueness import, fitted-parameter-as-prediction, or renaming of a known result carries the central claim. Score 0.
Axiom & Free-Parameter Ledger
free parameters (2)
- decoding temperature =
0
- approved-change scenario count =
10 scenarios
axioms (5)
- domain assumption Attacker can influence untrusted operational artifact text but cannot modify trusted policy metadata, tool registry, gate code, or evaluation labels.
- domain assumption Single-step first tool selection is a valid primary safety measurement for network-ops harm.
- ad hoc to paper Six mock tools with stated privilege levels adequately represent low-risk read, sensitive read, low-risk write, and high-impact write decisions.
- domain assumption Synthetic tickets/logs/runbooks/ChatOps messages are sufficiently realistic for measuring injection susceptibility and overblocking.
- standard math Wilson intervals and McNemar tests on scenario-level Bernoulli outcomes quantify sample uncertainty under deterministic decoding.
invented entities (2)
-
NetInjectBench scenario schema (prompt fields / trusted policy fields / evaluation-only labels)
no independent evidence
-
Metadata-aware policy gate with ordered safe fallbacks
independent evidence
read the original abstract
Tool-using large language model (LLM) agents are attractive for network operations, but tickets, alerts, logs, runbooks, and ChatOps messages can carry indirect prompt injections. We present NetInjectBench, a 130-scenario benchmark that separates untrusted artifact text, trusted policy metadata, and evaluation labels for network-operation tool use. The sample contains 40 benign, 40 weak-attack, 40 strong-attack, and 10 approved high-impact change scenarios; each is evaluated with Qwen2.5-7B, Llama3.1-8B, and Mistral-7B. Across 240 attack instances, naive execution reached an 82.50% unsafe tool-action rate. Prompt-only safety, Self-Reminder, Spotlighting, and a Two-Pass LLM Judge reduced this rate to 25.63%, 21.67%, 18.33%, and 10.00%, respectively. Static allowlisting reached 5.00% but blocked all approved changes, yielding 0.00% usefulness and 100.00% overblocking on approved cases. Under the stated metadata-integrity assumption, the metadata-aware policy gate produced 0/240 unsafe attack actions, with a 95% Wilson upper bound of 1.58%, while preserving 99.17% attack-scenario usefulness and 100.00% approved-change usefulness. The findings show that network-operation agents need execution-time authorization boundaries alongside prompt-level instruction hygiene.
Figures
Reference graph
Works this paper leans on
-
[1]
Advances in Neural Information Processing Systems , volume=
Attention is all you need , author=. Advances in Neural Information Processing Systems , volume=
-
[2]
Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies , pages=
BERT: Pre-training of deep bidirectional transformers for language understanding , author=. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies , pages=. 2019 , doi=
2019
-
[3]
Advances in Neural Information Processing Systems , volume=
Language models are few-shot learners , author=. Advances in Neural Information Processing Systems , volume=
-
[4]
arXiv preprint arXiv:2108.07258 , year=
On the opportunities and risks of foundation models , author=. arXiv preprint arXiv:2108.07258 , year=
-
[5]
and Gebru, Timnit and McMillan-Major, Angelina and Shmitchell, Shmargaret , title =
Bender, Emily M. and Gebru, Timnit and McMillan-Major, Angelina and Shmitchell, Shmargaret , title =. Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency , pages =. 2021 , isbn =. doi:10.1145/3442188.3445922 , abstract =
-
[6]
arXiv preprint arXiv:2407.21783 , year=
The Llama 3 herd of models , author=. arXiv preprint arXiv:2407.21783 , year=
-
[7]
arXiv preprint arXiv:2412.15115 , year=
Qwen2.5 technical report , author=. arXiv preprint arXiv:2412.15115 , year=
-
[8]
arXiv preprint arXiv:2310.06825 , year=
Mistral 7B , author=. arXiv preprint arXiv:2310.06825 , year=
-
[9]
International Conference on Learning Representations , year=
ReAct: Synergizing reasoning and acting in language models , author=. International Conference on Learning Representations , year=
-
[10]
arXiv preprint arXiv:2205.00445 , year=
MRKL systems: A modular, neuro-symbolic architecture that combines large language models, external knowledge sources and discrete reasoning , author=. arXiv preprint arXiv:2205.00445 , year=
-
[11]
arXiv preprint arXiv:2302.04761 , year=
Toolformer: Language models can teach themselves to use tools , author=. arXiv preprint arXiv:2302.04761 , year=
-
[12]
Advances in Neural Information Processing Systems , year=
Gorilla: Large language model connected with massive APIs , author=. Advances in Neural Information Processing Systems , year=
-
[13]
Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=
API-Bank: A comprehensive benchmark for tool-augmented LLMs , author=. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=. 2023 , doi=
2023
-
[14]
International Conference on Learning Representations , year=
ToolLLM: Facilitating large language models to master 16000+ real-world APIs , author=. International Conference on Learning Representations , year=
-
[15]
and Mao, Huanzhi and Yan, Fanjia and Ji, Charlie Cheng-Jie and Suresh, Vishnu and Stoica, Ion and Gonzalez, Joseph E
Patil, Shishir G. and Mao, Huanzhi and Yan, Fanjia and Ji, Charlie Cheng-Jie and Suresh, Vishnu and Stoica, Ion and Gonzalez, Joseph E. , booktitle=. The Berkeley Function Calling Leaderboard (. 2025 , publisher=
2025
-
[16]
Advances in Neural Information Processing Systems , year=
SWE-agent: Agent-computer interfaces enable automated software engineering , author=. Advances in Neural Information Processing Systems , year=
-
[17]
Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security , pages=
Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection , author=. Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security , pages=. 2023 , doi=
2023
-
[18]
arXiv preprint arXiv:2306.05499 , year=
Prompt injection attack against LLM-integrated applications , author=. arXiv preprint arXiv:2306.05499 , year=
-
[19]
Findings of the Association for Computational Linguistics: ACL 2024 , pages=
InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents , author=. Findings of the Association for Computational Linguistics: ACL 2024 , pages=. 2024 , doi=
2024
-
[20]
The Thirty-eighth Conference on Neural Information Processing Systems Datasets and Benchmarks Track , year=
AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents , author=. The Thirty-eighth Conference on Neural Information Processing Systems Datasets and Benchmarks Track , year=
-
[21]
2025 , howpublished=
LLM01:2025 Prompt injection , author=. 2025 , howpublished=
2025
-
[22]
arXiv preprint arXiv:2402.06363 , year=
StruQ: Defending against prompt injection with structured queries , author=. arXiv preprint arXiv:2402.06363 , year=
-
[23]
arXiv preprint arXiv:2404.13208 , year=
The instruction hierarchy: Training LLMs to prioritize privileged instructions , author=. arXiv preprint arXiv:2404.13208 , year=
-
[24]
arXiv preprint arXiv:2403.14720 , year=
Defending against indirect prompt injection attacks with spotlighting , author=. arXiv preprint arXiv:2403.14720 , year=
-
[25]
Nature Machine Intelligence , volume=
Defending ChatGPT against jailbreak attack via self-reminders , author=. Nature Machine Intelligence , volume=. 2023 , doi=
2023
-
[26]
arXiv preprint arXiv:2408.01605 , year=
CyberSecEval 3: Advancing the evaluation of cybersecurity risks and capabilities in large language models , author=. arXiv preprint arXiv:2408.01605 , year=
-
[27]
33rd USENIX Security Symposium , pages=
PentestGPT: Evaluating and harnessing large language models for automated penetration testing , author=. 33rd USENIX Security Symposium , pages=
-
[28]
2020 , doi=
Zero Trust Architecture , author=. 2020 , doi=
2020
-
[29]
2014 , doi=
Guide to Attribute Based Access Control (ABAC) Definition and Considerations , author=. 2014 , doi=
2014
-
[30]
Computer , volume=
Role-based access control models , author=. Computer , volume=. 1996 , doi=
1996
-
[31]
2020 , doi=
Security and Privacy Controls for Information Systems and Organizations , author=. 2020 , doi=
2020
-
[32]
2019 , url=
Zero-touch network and Service Management (ZSM); Reference Architecture , author=. 2019 , url=
2019
-
[33]
IEEE Communications Surveys and Tutorials , volume=
A survey on intent-based networking , author=. IEEE Communications Surveys and Tutorials , volume=. 2023 , doi=
2023
-
[34]
arXiv preprint arXiv:2012.09108 , year=
A systematic mapping study in AIOps , author=. arXiv preprint arXiv:2012.09108 , year=
Pith/arXiv arXiv 2012
-
[35]
arXiv preprint arXiv:2101.06054 , year=
Artificial intelligence for IT operations (AIOps) workshop white paper , author=. arXiv preprint arXiv:2101.06054 , year=
-
[36]
and Li, Ying , title =
Zhang, Lingzhe and Jia, Tong and Jia, Mengxi and Wu, Yifan and Liu, Aiwei and Yang, Yong and Wu, Zhonghai and Hu, Xuming and Yu, Philip S. and Li, Ying , title =. ACM Computing Surveys , volume =. 2026 , doi =
2026
-
[37]
Communications of the ACM , volume=
Datasheets for datasets , author=. Communications of the ACM , volume=. 2021 , doi=
2021
-
[38]
Transactions of the Association for Computational Linguistics , volume=
Data statements for natural language processing: Toward mitigating system bias and enabling better science , author=. Transactions of the Association for Computational Linguistics , volume=. 2018 , doi=
2018
-
[39]
Proceedings of the Conference on Fairness, Accountability, and Transparency , pages=
Model cards for model reporting , author=. Proceedings of the Conference on Fairness, Accountability, and Transparency , pages=. 2019 , doi=
2019
-
[40]
Journal of the American Statistical Association , volume=
Probable inference, the law of succession, and statistical inference , author=. Journal of the American Statistical Association , volume=. 1927 , doi=
1927
-
[41]
Statistics in Medicine , volume=
Two-sided confidence intervals for the single proportion: Comparison of seven methods , author=. Statistics in Medicine , volume=. 1998 , doi=
1998
-
[42]
Journal of Machine Learning Research , volume=
Scikit-learn: Machine learning in Python , author=. Journal of Machine Learning Research , volume=
-
[43]
Advances in Neural Information Processing Systems , volume=
Retrieval-augmented generation for knowledge-intensive NLP tasks , author=. Advances in Neural Information Processing Systems , volume=
-
[44]
arXiv preprint arXiv:2112.04359 , year=
Ethical and social risks of harm from Language Models , author=. arXiv preprint arXiv:2112.04359 , year=
-
[45]
Transactions on Machine Learning Research , year=
Augmented language models: A survey , author=. Transactions on Machine Learning Research , year=
-
[46]
International Conference on Learning Representations , year=
Aligning AI with shared human values , author=. International Conference on Learning Representations , year=
-
[47]
arXiv preprint arXiv:2109.13916 , year=
Unsolved problems in ML safety , author=. arXiv preprint arXiv:2109.13916 , year=
-
[48]
arXiv preprint arXiv:2305.15324 , year=
Model evaluation for extreme risks , author=. arXiv preprint arXiv:2305.15324 , year=
-
[49]
arXiv preprint arXiv:2602.03117 , year=
AgentDyn: Are Your Agent Security Defenses Deployable in Real-World Dynamic Environments? , author=. arXiv preprint arXiv:2602.03117 , year=. doi:10.48550/arXiv.2602.03117 , url=
-
[50]
Psychometrika , volume=
Note on the sampling error of the difference between correlated proportions or percentages , author=. Psychometrika , volume=. 1947 , doi=
1947
-
[51]
Ollama , howpublished =
-
[52]
Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1 , pages=
Benchmarking and defending against indirect prompt injection attacks on large language models , author=. Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1 , pages=. 2025 , publisher=
2025
-
[53]
Adaptive Attacks Break Defenses Against Indirect Prompt Injection Attacks on
Zhan, Qiusi and Fang, Richard and Panchal, Henil Shalin and Kang, Daniel , booktitle=. Adaptive Attacks Break Defenses Against Indirect Prompt Injection Attacks on. 2025 , publisher=
2025
-
[54]
Optimizing text-to-
Ojuri, Samuel and Han, The Anh and Chiong, Raymond and Di Stefano, Alessandro , journal=. Optimizing text-to-. 2025 , doi=
2025
-
[55]
Information Processing & Management , volume=
Mitigating privacy risks in Retrieval-Augmented Generation via locally private entity perturbation , author=. Information Processing & Management , volume=. 2025 , doi=
2025
-
[56]
arXiv preprint arXiv:2601.04795 , year=
Defense Against Indirect Prompt Injection via Tool Result Parsing , author=. arXiv preprint arXiv:2601.04795 , year=
-
[57]
arXiv preprint arXiv:2510.05244 , year=
Indirect Prompt Injections: Are Firewalls All You Need, or Stronger Benchmarks? , author=. arXiv preprint arXiv:2510.05244 , year=
-
[58]
Wang, Che and Zhang, Fuyao and Zhang, Jiaming and Zhang, Ziqi and Wang, Yinghui and Huang, Longtao and Gao, Jianbo and Chen, Zhong and Lim, Wei Yang Bryan , journal=
-
[59]
Hossain, S M Asif and Shayoni, Ruksat Khan and Ameen, Mohd Ruhul and Islam, Akif and Mridha, M. F. and Shin, Jungpil , title=. 2025 IEEE International Women in Engineering (. 2025 , publisher=
2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.