Pith. sign in

REVIEW 2 major objections 6 minor 59 references

Untrusted tickets and logs can drive network LLM agents into unsafe tool calls; only a metadata-aware execution gate stopped all attacks without blocking approved changes.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.5

2026-07-14 11:19 UTC pith:NO4I76EF

load-bearing objection Solid domain benchmark: execution-time metadata gates beat prompt hygiene and static blocks on network-ops injection, under an explicit integrity assumption the authors own. the 2 major comments →

arxiv 2607.10490 v1 pith:NO4I76EF submitted 2026-07-11 cs.CR cs.LG

NetInjectBench: Benchmarking Indirect Prompt Injection in Tool-Using Large Language Model Agents for Network Operations

classification cs.CR cs.LG
keywords large language modelsprompt injectiontool usenetwork operationsagent safetybenchmarkingpolicy enforcement
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Tool-using language-model agents are appealing for network operations, but the tickets, alerts, logs, runbooks, and chat messages they read can carry hidden instructions. NetInjectBench is a 130-scenario benchmark that keeps untrusted artifact text, trusted authorization metadata, and scoring labels structurally separate, then tests three open 7–8B models under weak attacks, strong authority-style attacks, benign work, and legitimate approved changes. Naive execution chose an unsafe tool action in 82.5% of 240 attack instances. Prompt-level defenses and a second-pass LLM judge cut that rate but left residual failures; a global block on the high-impact change tool looked safer on attacks yet blocked every approved change. Under the paper’s metadata-integrity assumption, a deterministic policy gate that checks trusted approval facts before execution produced zero unsafe attack actions while preserving useful diagnostic and approved-change behavior. The claim is that network-operation agents need an execution-time authorization boundary, not only cleaner prompts.

Core claim

Across 240 weak- and strong-attack instances on three local models, naive tool execution reached an 82.50% unsafe tool-action rate. Prompt-only safety, Self-Reminder, Spotlighting, and a Two-Pass LLM Judge reduced that rate to 25.63%, 21.67%, 18.33%, and 10.00%, while static allowlisting reached 5.00% but overblocked all approved high-impact changes. Under the stated metadata-integrity assumption, the metadata-aware policy gate produced 0/240 unsafe attack actions (95% Wilson upper bound 1.58%) with 99.17% attack-scenario usefulness and 100% approved-change usefulness.

What carries the argument

NetInjectBench’s scenario schema plus the metadata-aware policy gate: each scenario separates untrusted artifact text (visible to the model), trusted policy fields (approval status, maintenance window, approved tool/device/patch, change-request ID, used only by the gate), and evaluation-only labels. The gate treats the model’s tool call as a proposal and allows high-impact writes only when those trusted fields match; otherwise it falls back to safer diagnostics or escalation.

Load-bearing premise

Attackers can write or poison operational text, but they cannot change the trusted approval records, maintenance windows, or approved tool, device, and patch fields the gate actually checks.

What would settle it

Allow attack artifacts to also rewrite the trusted metadata the gate reads (or run multi-step cases where a safe read returns poisoned tool output that later authorizes a write); if the gate then executes unapproved high-impact actions, the zero-unsafe result under the paper’s threat model fails.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • Network-ops agents should treat model tool proposals as non-authoritative until checked against change-management and maintenance-window records.
  • Attack-only safety scores mislead: static blocks can look safe while making legitimate approved changes unusable.
  • Policies must cover sensitive reads (for example topology queries), not only high-impact configuration writes.
  • Prompt-level hygiene and LLM-only judges are defense-in-depth, not the final authorization boundary.
  • Ops-domain agent benchmarks need approved high-impact counterexamples and an explicit trusted-metadata channel.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same evidence-versus-authorization split likely applies to other ticket-driven settings such as IT service desks, cloud ops, and security operations tooling.
  • Once multi-step agents are in scope, the gate may need to re-verify after every tool result, not only at the first selection.
  • Large model-to-model gaps under prompt-only defenses imply that “a better system prompt is enough” will not transfer without per-model measurement.
  • The natural next red-team target is the metadata channel itself—stale or compromised approval systems would invert the gate’s safety claim.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

2 major / 6 minor

Summary. NetInjectBench is a 130-scenario benchmark for indirect prompt injection against tool-using LLM agents in network operations. Scenarios separate untrusted artifact text, trusted authorization metadata, and evaluation-only labels across benign, weak-attack, strong-attack, and approved high-impact change sets. Three local 7–8B models are evaluated under seven execution settings. Naive execution yields 82.50% unsafe tool-action rate (UTAR) on 240 attack instances; prompt-level and LLM-only defenses reduce but do not eliminate unsafe actions; static allowlisting reaches 5% UTAR while blocking all approved changes; under an explicit metadata-integrity assumption, a deterministic metadata-aware policy gate reports 0/240 unsafe attack actions (95% Wilson upper bound 1.58%) with high usefulness on attacks and 100% usefulness on approved changes. The paper concludes that network-operation agents need execution-time authorization boundaries in addition to prompt hygiene.

Significance. If the results hold under the stated threat model, the paper makes a useful domain-specific contribution to agent security: it operationalizes the evidence-versus-authorization boundary for network change control, and it shows that attack-only safety metrics can mislead when approved high-impact actions are omitted. Strengths include an explicit schema separating prompt, policy, and evaluation fields; utility metrics that penalize overblocking (UAR/OBR); Wilson intervals and McNemar paired tests; risk/artifact/privilege breakdowns that expose sensitive-read failures left by write-only allowlists; and a deterministic metadata-stress suite (Table 11). The work is practically relevant to AIOps and change-managed infrastructure automation, and the planned public release of scenarios, runners, and scoring scripts would support reuse.

major comments (2)
  1. [§3.3, Table 5, §4.5, Table 16] §3.3 and Table 5 specify the policy gate primarily for high-impact apply_config_change (approval status, maintenance window, approved tool/device/patch, CR ID, ordered fallbacks). §4.5 and Table 16, however, attribute 0% UTAR on sensitive information exposure and control of unsafe query_topology to the same gate. The manuscript does not state the trusted attributes or decision rule used for sensitive-read authorization, nor how that rule avoids using evaluation-only labels. Because the static-allowlist contrast on sensitive reads is a load-bearing part of the “execution-time boundaries beat write-only blocking” claim, the sensitive-read policy must be specified at the same level of detail as the high-impact write checks (inputs, allow/deny conditions, fallbacks).
  2. [Table 10, Table 11, Table 13, §5.6] The approved-change usefulness claim (Table 10: 100% UAR for the policy gate; 0% UAR and 100% OBR for static allowlisting) rests on only 10 scenario templates (30 model-scenario instances). The Wilson interval for 100% usefulness is wide ([88.65%, 100.00%] in Table 13). The metadata-stress suite (Table 11) strengthens gate logic validation but is deterministic and not counted in LLM totals. For a central claim that metadata-aware gating preserves legitimate high-impact work while static blocking does not, the approved-change set should be enlarged and/or the paper should more clearly bound the strength of the usefulness generalization from N=10 templates.
minor comments (6)
  1. [§1] Section 1 ends with “Section??states the research objectives,” a broken cross-reference that should be fixed.
  2. [§3.5, Table 10] Self-Reminder, Spotlighting, and the Two-Pass LLM Judge are evaluated only on attack instances (§3.5). A short note or appendix on whether these methods degrade approved-change usefulness would make the method comparison more complete, even if not required for the main claim.
  3. [Figure 3, Figure 4] Figure 3 and Figure 4 are informative; ensure axis labels and method names remain legible in print and that the “T wo-Pass” spacing artifact in Figure 3 is corrected.
  4. [Table 14, §3.4] Normalization rates for naive/prompt methods are high (Table 14: NR up to 76.92%). Briefly state the normalization rules (argument aliases, device ID formats) so readers can judge whether repair could systematically affect tool choice labels.
  5. [§2.2] Related-work coverage is generally appropriate; a one-sentence comparison to concurrent agent firewall / tool-result parsing defenses already cited (e.g., Bhagwatkar et al., Yu et al.) on whether those systems encode change-control metadata would help position the policy gate.
  6. [§3.5, §5.6] Clarify temperature=0 and single-decode protocol earlier in §3.5 (it appears mainly in §5.6/§7) so readers do not assume stochastic multi-sample evaluation when reading the aggregate tables.

Circularity Check

0 steps flagged

No significant circularity: empirical benchmark comparison under an explicit threat model, not a derivation that reduces to its inputs.

full rationale

NetInjectBench is an empirical systems/security paper: it builds a 130-scenario benchmark, measures unsafe tool-action rates for naive and prompt/LLM defenses, and compares static allowlisting to a metadata-aware policy gate. The gate’s 0/240 attack UTAR is not a fitted or self-definitional “prediction”; it is deterministic enforcement under the paper’s stated metadata-integrity assumption (attacker can write artifact text, not trusted approval fields). The manuscript repeatedly frames that result as sample-level enforcement under that assumption (abstract; §3.1–3.2; Table 7; §5.5), not as a first-principles discovery. Independent empirical content remains: high naive UTAR (82.50%), residual failures under prompt-only/Self-Reminder/Spotlighting/Two-Pass Judge, static allowlist’s 100% approved-change overblocking, usefulness of gate fallbacks, model variation, and metadata-stress checks (Table 11). No self-citation chain, uniqueness import, fitted-parameter-as-prediction, or renaming of a known result carries the central claim. Score 0.

Axiom & Free-Parameter Ledger

2 free parameters · 5 axioms · 2 invented entities

The central safety claim rests on a standard access-control-style integrity assumption for policy metadata, a single-step tool-selection measurement design, mock tools as stand-ins for real ops actions, and synthetic scenario construction—not on fitted physical constants. No new particles or forces; the main invented construct is the benchmark and the deterministic gate logic itself, which is testable by construction against the stated metadata channel.

free parameters (2)
  • decoding temperature = 0
    Fixed to 0 for reproducibility; not fitted to maximize the gate’s advantage, but stochastic multi-sample behavior is left to future work and could change residual rates for prompt/judge methods.
  • approved-change scenario count = 10 scenarios
    Only 10 templates (30 model instances) define the 100% approved usefulness claim for the gate vs 0% for static allowlist; small N widens uncertainty on that utility claim.
axioms (5)
  • domain assumption Attacker can influence untrusted operational artifact text but cannot modify trusted policy metadata, tool registry, gate code, or evaluation labels.
    Stated threat model and §3.2; load-bearing for interpreting 0/240 UTAR as authorization-boundary enforcement rather than metadata-compromise detection.
  • domain assumption Single-step first tool selection is a valid primary safety measurement for network-ops harm.
    §3.1 explicitly scopes multi-step tool-output poisoning as future work; if most real harm requires multi-step chains, measured residual rates understate risk for prompt-only methods.
  • ad hoc to paper Six mock tools with stated privilege levels adequately represent low-risk read, sensitive read, low-risk write, and high-impact write decisions.
    §3.3 compact tool set; simplifies scoring but omits richer ops actions (rollback, quarantine, ACL update, credential rotation).
  • domain assumption Synthetic tickets/logs/runbooks/ChatOps messages are sufficiently realistic for measuring injection susceptibility and overblocking.
    §5.6 external-validity limitation; enables release and confidentiality but may not match real ticket distributions.
  • standard math Wilson intervals and McNemar tests on scenario-level Bernoulli outcomes quantify sample uncertainty under deterministic decoding.
    §3.4 cites Wilson (1927) and McNemar (1947); appropriate for the reported proportions.
invented entities (2)
  • NetInjectBench scenario schema (prompt fields / trusted policy fields / evaluation-only labels) no independent evidence
    purpose: Make the artifact–authorization boundary measurable and prevent the gate from using answer keys.
    Core methodological construct of the paper; independent evidence is the released JSON scenarios and scoring scripts (promised post-acceptance).
  • Metadata-aware policy gate with ordered safe fallbacks independent evidence
    purpose: Deterministically allow high-impact apply_config_change only when trusted metadata matches, else redirect to diagnostic/escalation tools.
    Implementation of standard ABAC/change-control ideas for LLM tool proposals; falsifiable via the metadata-stress table, not a new physical entity.

pith-pipeline@v1.1.0-grok45 · 25735 in / 3468 out tokens · 52510 ms · 2026-07-14T11:19:16.245735+00:00 · methodology

0 comments
read the original abstract

Tool-using large language model (LLM) agents are attractive for network operations, but tickets, alerts, logs, runbooks, and ChatOps messages can carry indirect prompt injections. We present NetInjectBench, a 130-scenario benchmark that separates untrusted artifact text, trusted policy metadata, and evaluation labels for network-operation tool use. The sample contains 40 benign, 40 weak-attack, 40 strong-attack, and 10 approved high-impact change scenarios; each is evaluated with Qwen2.5-7B, Llama3.1-8B, and Mistral-7B. Across 240 attack instances, naive execution reached an 82.50% unsafe tool-action rate. Prompt-only safety, Self-Reminder, Spotlighting, and a Two-Pass LLM Judge reduced this rate to 25.63%, 21.67%, 18.33%, and 10.00%, respectively. Static allowlisting reached 5.00% but blocked all approved changes, yielding 0.00% usefulness and 100.00% overblocking on approved cases. Under the stated metadata-integrity assumption, the metadata-aware policy gate produced 0/240 unsafe attack actions, with a 95% Wilson upper bound of 1.58%, while preserving 99.17% attack-scenario usefulness and 100.00% approved-change usefulness. The findings show that network-operation agents need execution-time authorization boundaries alongside prompt-level instruction hygiene.

Figures

Figures reproduced from arXiv: 2607.10490 by M. F. Mridha, Muhammad Faraz Shoaib, Ruksat Khan Shayoni, S M Asif Hossain.

Figure 1
Figure 1. Figure 1: Threat model for indirect prompt injection in NetInjectBench. Benign oper [PITH_FULL_IMAGE:figures/full_fig_p008_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Metadata-aware policy-gate flow in NetInjectBench. The LLM proposes a tool [PITH_FULL_IMAGE:figures/full_fig_p014_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Aggregate attack performance. Prompt-level and lightweight defenses reduce un [PITH_FULL_IMAGE:figures/full_fig_p020_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Approved high-impact change results. Static allowlisting blocks all legitimate [PITH_FULL_IMAGE:figures/full_fig_p023_4.png] view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

59 extracted references · 17 linked inside Pith

  1. [1]

    Advances in Neural Information Processing Systems , volume=

    Attention is all you need , author=. Advances in Neural Information Processing Systems , volume=

  2. [2]

    Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies , pages=

    BERT: Pre-training of deep bidirectional transformers for language understanding , author=. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies , pages=. 2019 , doi=

  3. [3]

    Advances in Neural Information Processing Systems , volume=

    Language models are few-shot learners , author=. Advances in Neural Information Processing Systems , volume=

  4. [4]

    arXiv preprint arXiv:2108.07258 , year=

    On the opportunities and risks of foundation models , author=. arXiv preprint arXiv:2108.07258 , year=

  5. [5]

    and Gebru, Timnit and McMillan-Major, Angelina and Shmitchell, Shmargaret , title =

    Bender, Emily M. and Gebru, Timnit and McMillan-Major, Angelina and Shmitchell, Shmargaret , title =. Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency , pages =. 2021 , isbn =. doi:10.1145/3442188.3445922 , abstract =

  6. [6]

    arXiv preprint arXiv:2407.21783 , year=

    The Llama 3 herd of models , author=. arXiv preprint arXiv:2407.21783 , year=

  7. [7]

    arXiv preprint arXiv:2412.15115 , year=

    Qwen2.5 technical report , author=. arXiv preprint arXiv:2412.15115 , year=

  8. [8]

    arXiv preprint arXiv:2310.06825 , year=

    Mistral 7B , author=. arXiv preprint arXiv:2310.06825 , year=

  9. [9]

    International Conference on Learning Representations , year=

    ReAct: Synergizing reasoning and acting in language models , author=. International Conference on Learning Representations , year=

  10. [10]

    arXiv preprint arXiv:2205.00445 , year=

    MRKL systems: A modular, neuro-symbolic architecture that combines large language models, external knowledge sources and discrete reasoning , author=. arXiv preprint arXiv:2205.00445 , year=

  11. [11]

    arXiv preprint arXiv:2302.04761 , year=

    Toolformer: Language models can teach themselves to use tools , author=. arXiv preprint arXiv:2302.04761 , year=

  12. [12]

    Advances in Neural Information Processing Systems , year=

    Gorilla: Large language model connected with massive APIs , author=. Advances in Neural Information Processing Systems , year=

  13. [13]

    Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

    API-Bank: A comprehensive benchmark for tool-augmented LLMs , author=. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=. 2023 , doi=

  14. [14]

    International Conference on Learning Representations , year=

    ToolLLM: Facilitating large language models to master 16000+ real-world APIs , author=. International Conference on Learning Representations , year=

  15. [15]

    and Mao, Huanzhi and Yan, Fanjia and Ji, Charlie Cheng-Jie and Suresh, Vishnu and Stoica, Ion and Gonzalez, Joseph E

    Patil, Shishir G. and Mao, Huanzhi and Yan, Fanjia and Ji, Charlie Cheng-Jie and Suresh, Vishnu and Stoica, Ion and Gonzalez, Joseph E. , booktitle=. The Berkeley Function Calling Leaderboard (. 2025 , publisher=

  16. [16]

    Advances in Neural Information Processing Systems , year=

    SWE-agent: Agent-computer interfaces enable automated software engineering , author=. Advances in Neural Information Processing Systems , year=

  17. [17]

    Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security , pages=

    Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection , author=. Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security , pages=. 2023 , doi=

  18. [18]

    arXiv preprint arXiv:2306.05499 , year=

    Prompt injection attack against LLM-integrated applications , author=. arXiv preprint arXiv:2306.05499 , year=

  19. [19]

    Findings of the Association for Computational Linguistics: ACL 2024 , pages=

    InjecAgent: Benchmarking indirect prompt injections in tool-integrated large language model agents , author=. Findings of the Association for Computational Linguistics: ACL 2024 , pages=. 2024 , doi=

  20. [20]

    The Thirty-eighth Conference on Neural Information Processing Systems Datasets and Benchmarks Track , year=

    AgentDojo: A dynamic environment to evaluate prompt injection attacks and defenses for LLM agents , author=. The Thirty-eighth Conference on Neural Information Processing Systems Datasets and Benchmarks Track , year=

  21. [21]

    2025 , howpublished=

    LLM01:2025 Prompt injection , author=. 2025 , howpublished=

  22. [22]

    arXiv preprint arXiv:2402.06363 , year=

    StruQ: Defending against prompt injection with structured queries , author=. arXiv preprint arXiv:2402.06363 , year=

  23. [23]

    arXiv preprint arXiv:2404.13208 , year=

    The instruction hierarchy: Training LLMs to prioritize privileged instructions , author=. arXiv preprint arXiv:2404.13208 , year=

  24. [24]

    arXiv preprint arXiv:2403.14720 , year=

    Defending against indirect prompt injection attacks with spotlighting , author=. arXiv preprint arXiv:2403.14720 , year=

  25. [25]

    Nature Machine Intelligence , volume=

    Defending ChatGPT against jailbreak attack via self-reminders , author=. Nature Machine Intelligence , volume=. 2023 , doi=

  26. [26]

    arXiv preprint arXiv:2408.01605 , year=

    CyberSecEval 3: Advancing the evaluation of cybersecurity risks and capabilities in large language models , author=. arXiv preprint arXiv:2408.01605 , year=

  27. [27]

    33rd USENIX Security Symposium , pages=

    PentestGPT: Evaluating and harnessing large language models for automated penetration testing , author=. 33rd USENIX Security Symposium , pages=

  28. [28]

    2020 , doi=

    Zero Trust Architecture , author=. 2020 , doi=

  29. [29]

    2014 , doi=

    Guide to Attribute Based Access Control (ABAC) Definition and Considerations , author=. 2014 , doi=

  30. [30]

    Computer , volume=

    Role-based access control models , author=. Computer , volume=. 1996 , doi=

  31. [31]

    2020 , doi=

    Security and Privacy Controls for Information Systems and Organizations , author=. 2020 , doi=

  32. [32]

    2019 , url=

    Zero-touch network and Service Management (ZSM); Reference Architecture , author=. 2019 , url=

  33. [33]

    IEEE Communications Surveys and Tutorials , volume=

    A survey on intent-based networking , author=. IEEE Communications Surveys and Tutorials , volume=. 2023 , doi=

  34. [34]

    arXiv preprint arXiv:2012.09108 , year=

    A systematic mapping study in AIOps , author=. arXiv preprint arXiv:2012.09108 , year=

  35. [35]

    arXiv preprint arXiv:2101.06054 , year=

    Artificial intelligence for IT operations (AIOps) workshop white paper , author=. arXiv preprint arXiv:2101.06054 , year=

  36. [36]

    and Li, Ying , title =

    Zhang, Lingzhe and Jia, Tong and Jia, Mengxi and Wu, Yifan and Liu, Aiwei and Yang, Yong and Wu, Zhonghai and Hu, Xuming and Yu, Philip S. and Li, Ying , title =. ACM Computing Surveys , volume =. 2026 , doi =

  37. [37]

    Communications of the ACM , volume=

    Datasheets for datasets , author=. Communications of the ACM , volume=. 2021 , doi=

  38. [38]

    Transactions of the Association for Computational Linguistics , volume=

    Data statements for natural language processing: Toward mitigating system bias and enabling better science , author=. Transactions of the Association for Computational Linguistics , volume=. 2018 , doi=

  39. [39]

    Proceedings of the Conference on Fairness, Accountability, and Transparency , pages=

    Model cards for model reporting , author=. Proceedings of the Conference on Fairness, Accountability, and Transparency , pages=. 2019 , doi=

  40. [40]

    Journal of the American Statistical Association , volume=

    Probable inference, the law of succession, and statistical inference , author=. Journal of the American Statistical Association , volume=. 1927 , doi=

  41. [41]

    Statistics in Medicine , volume=

    Two-sided confidence intervals for the single proportion: Comparison of seven methods , author=. Statistics in Medicine , volume=. 1998 , doi=

  42. [42]

    Journal of Machine Learning Research , volume=

    Scikit-learn: Machine learning in Python , author=. Journal of Machine Learning Research , volume=

  43. [43]

    Advances in Neural Information Processing Systems , volume=

    Retrieval-augmented generation for knowledge-intensive NLP tasks , author=. Advances in Neural Information Processing Systems , volume=

  44. [44]

    arXiv preprint arXiv:2112.04359 , year=

    Ethical and social risks of harm from Language Models , author=. arXiv preprint arXiv:2112.04359 , year=

  45. [45]

    Transactions on Machine Learning Research , year=

    Augmented language models: A survey , author=. Transactions on Machine Learning Research , year=

  46. [46]

    International Conference on Learning Representations , year=

    Aligning AI with shared human values , author=. International Conference on Learning Representations , year=

  47. [47]

    arXiv preprint arXiv:2109.13916 , year=

    Unsolved problems in ML safety , author=. arXiv preprint arXiv:2109.13916 , year=

  48. [48]

    arXiv preprint arXiv:2305.15324 , year=

    Model evaluation for extreme risks , author=. arXiv preprint arXiv:2305.15324 , year=

  49. [49]

    arXiv preprint arXiv:2602.03117 , year=

    AgentDyn: Are Your Agent Security Defenses Deployable in Real-World Dynamic Environments? , author=. arXiv preprint arXiv:2602.03117 , year=. doi:10.48550/arXiv.2602.03117 , url=

  50. [50]

    Psychometrika , volume=

    Note on the sampling error of the difference between correlated proportions or percentages , author=. Psychometrika , volume=. 1947 , doi=

  51. [51]

    Ollama , howpublished =

  52. [52]

    Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1 , pages=

    Benchmarking and defending against indirect prompt injection attacks on large language models , author=. Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1 , pages=. 2025 , publisher=

  53. [53]

    Adaptive Attacks Break Defenses Against Indirect Prompt Injection Attacks on

    Zhan, Qiusi and Fang, Richard and Panchal, Henil Shalin and Kang, Daniel , booktitle=. Adaptive Attacks Break Defenses Against Indirect Prompt Injection Attacks on. 2025 , publisher=

  54. [54]

    Optimizing text-to-

    Ojuri, Samuel and Han, The Anh and Chiong, Raymond and Di Stefano, Alessandro , journal=. Optimizing text-to-. 2025 , doi=

  55. [55]

    Information Processing & Management , volume=

    Mitigating privacy risks in Retrieval-Augmented Generation via locally private entity perturbation , author=. Information Processing & Management , volume=. 2025 , doi=

  56. [56]

    arXiv preprint arXiv:2601.04795 , year=

    Defense Against Indirect Prompt Injection via Tool Result Parsing , author=. arXiv preprint arXiv:2601.04795 , year=

  57. [57]

    arXiv preprint arXiv:2510.05244 , year=

    Indirect Prompt Injections: Are Firewalls All You Need, or Stronger Benchmarks? , author=. arXiv preprint arXiv:2510.05244 , year=

  58. [58]

    Wang, Che and Zhang, Fuyao and Zhang, Jiaming and Zhang, Ziqi and Wang, Yinghui and Huang, Longtao and Gao, Jianbo and Chen, Zhong and Lim, Wei Yang Bryan , journal=

  59. [59]

    Hossain, S M Asif and Shayoni, Ruksat Khan and Ameen, Mohd Ruhul and Islam, Akif and Mridha, M. F. and Shin, Jungpil , title=. 2025 IEEE International Women in Engineering (. 2025 , publisher=