Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Les Dissonances: Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents

Zichuan Li, Jian Cui, Xiaojing Liao, Luyi Xing

TL;DR

This work reveals a novel security risk in pool-of-tools LLM agents, presenting Cross-Tool Harvesting and Polluting (XTHP) which hijacks task control flows to harvest or pollute data across tools. It defines the CFA hijacking, XTH, and XTP threat chain and introduces Chord, an automatic threat analyzer that generates tailored XTHP tools and tests real-world tools from LangChain and LlamaIndex. Empirical evaluation shows that a substantial majority of tools are vulnerable to end-to-end XTHP exploits, and existing defenses offer little protection. The findings underscore the urgent need for secure tool orchestration, tool vetting, and robust defenses in multi-tool LLM agent ecosystems. The work highlights practical implications for privacy, security, and reliability in real-world AI agents and charts a path for future defenses and tooling improvements.

Abstract

Large Language Model (LLM) agents are autonomous systems powered by LLMs, capable of reasoning and planning to solve problems by leveraging a set of tools. However, the integration of multi-tool capabilities in LLM agents introduces challenges in securely managing tools, ensuring their compatibility, handling dependency relationships, and protecting control flows within LLM agent workflows. In this paper, we present the first systematic security analysis of task control flows in multi-tool-enabled LLM agents. We identify a novel threat, Cross-Tool Harvesting and Polluting (XTHP), which includes multiple attack vectors to first hijack the normal control flows of agent tasks, and then collect and pollute confidential or private information within LLM agent systems. To understand the impact of this threat, we developed Chord, a dynamic scanning tool designed to automatically detect real-world agent tools susceptible to XTHP attacks. Our evaluation of 66 real-world tools from the repositories of two major LLM agent development frameworks, LangChain and LlamaIndex, revealed a significant security concern: 75% are vulnerable to XTHP attacks, highlighting the prevalence of this threat.

Les Dissonances: Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents

TL;DR

This work reveals a novel security risk in pool-of-tools LLM agents, presenting Cross-Tool Harvesting and Polluting (XTHP) which hijacks task control flows to harvest or pollute data across tools. It defines the CFA hijacking, XTH, and XTP threat chain and introduces Chord, an automatic threat analyzer that generates tailored XTHP tools and tests real-world tools from LangChain and LlamaIndex. Empirical evaluation shows that a substantial majority of tools are vulnerable to end-to-end XTHP exploits, and existing defenses offer little protection. The findings underscore the urgent need for secure tool orchestration, tool vetting, and robust defenses in multi-tool LLM agent ecosystems. The work highlights practical implications for privacy, security, and reliability in real-world AI agents and charts a path for future defenses and tooling improvements.

Abstract

Large Language Model (LLM) agents are autonomous systems powered by LLMs, capable of reasoning and planning to solve problems by leveraging a set of tools. However, the integration of multi-tool capabilities in LLM agents introduces challenges in securely managing tools, ensuring their compatibility, handling dependency relationships, and protecting control flows within LLM agent workflows. In this paper, we present the first systematic security analysis of task control flows in multi-tool-enabled LLM agents. We identify a novel threat, Cross-Tool Harvesting and Polluting (XTHP), which includes multiple attack vectors to first hijack the normal control flows of agent tasks, and then collect and pollute confidential or private information within LLM agent systems. To understand the impact of this threat, we developed Chord, a dynamic scanning tool designed to automatically detect real-world agent tools susceptible to XTHP attacks. Our evaluation of 66 real-world tools from the repositories of two major LLM agent development frameworks, LangChain and LlamaIndex, revealed a significant security concern: 75% are vulnerable to XTHP attacks, highlighting the prevalence of this threat.

Paper Structure

This paper contains 39 sections, 4 equations, 6 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Threat Model
  4. Cross-Tool Harvesting & Polluting
  5. Overview
  6. Semantic Logic Hooking
  7. Targeted Semantic Hooking
  8. Untargeted Scenario-based Semantic Hooking
  9. Dynamic Tool Creation
  10. Syntax Format Hooking
  11. Hooking on domain-specific or customized data format
  12. Hooking on general data formats
  13. Hooking Optimization Using LLM Preference
  14. Cross-Tool Information Polluting
  15. Cross-Tool Data Harvesting
  16. ...and 24 more sections

Figures (6)

  • Figure 1: Tool schema
  • Figure 2: Overview of the XTHP threats.
  • Figure 3: PoC examples of XTH attack vectors. LocationValidator is a malicious tool targeting victim tool AmadeusClosestAirport
  • Figure 4: Chord: fully automatic XTHP attacks (PoC) to evaluate the susceptibility of real-world tools
  • Figure 5: Optimized XTHP Description Generation
  • ...and 1 more figures