AgentVigil: Generic Black-Box Red-teaming for Indirect Prompt Injection against LLM Agents
Zhun Wang, Vincent Siu, Zhe Ye, Tianneng Shi, Yuzhou Nie, Xuandong Zhao, Chenguang Wang, Wenbo Guo, Dawn Song
TL;DR
<3-5 sentence high-level summary> AgentVigil addresses the vulnerability of black-box LLM agents to indirect prompt injection by introducing a generic fuzzing framework that combines a high-quality seed corpus, adaptive seed scoring, and an MCTS-based seed selector to automatically discover vulnerabilities across diverse agent architectures. It demonstrates strong attack performance on AgentDojo and VWA-adv benchmarks (71% and 70% ASR, respectively), with notable transferability to unseen tasks and models and successful real-world case studies. The framework also reveals weaknesses in existing defenses, showing that conventional mitigations struggle against robust, automatically generated adversarial prompts. Together, these findings highlight urgent security gaps in agent systems and provide a practical, extensible baseline for evaluating and strengthening defenses in real-world deployments.
Abstract
The strong planning and reasoning capabilities of Large Language Models (LLMs) have fostered the development of agent-based systems capable of leveraging external tools and interacting with increasingly complex environments. However, these powerful features also introduce a critical security risk: indirect prompt injection, a sophisticated attack vector that compromises the core of these agents, the LLM, by manipulating contextual information rather than direct user prompts. In this work, we propose a generic black-box fuzzing framework, AgentVigil, designed to automatically discover and exploit indirect prompt injection vulnerabilities across diverse LLM agents. Our approach starts by constructing a high-quality initial seed corpus, then employs a seed selection algorithm based on Monte Carlo Tree Search (MCTS) to iteratively refine inputs, thereby maximizing the likelihood of uncovering agent weaknesses. We evaluate AgentVigil on two public benchmarks, AgentDojo and VWA-adv, where it achieves 71% and 70% success rates against agents based on o3-mini and GPT-4o, respectively, nearly doubling the performance of baseline attacks. Moreover, AgentVigil exhibits strong transferability across unseen tasks and internal LLMs, as well as promising results against defenses. Beyond benchmark evaluations, we apply our attacks in real-world environments, successfully misleading agents to navigate to arbitrary URLs, including malicious sites.
