Table of Contents
Fetching ...

BackdoorAgent: A Unified Framework for Backdoor Attacks on LLM-based Agents

Yunhao Feng, Yige Li, Yutao Wu, Yingshui Tan, Yanming Guo, Yifan Ding, Kun Zhai, Xingjun Ma, Yugang Jiang

TL;DR

BackdoorAgent introduces a stage-aware framework to analyze backdoor threats in multi-step LLM agents by decomposing the attack surface into Planning, Memory, and Tools, and provides a standardized benchmark across four agent applications. It demonstrates that backdoor triggers injected at a single stage can persist and propagate through intermediate artifacts, with memory-channel backdoors showing the strongest persistence and tool-channel attacks dominating closed-loop workflows. Crucially, strong clean task performance does not guarantee robustness, highlighting the need for trajectory- and workflow-level defenses beyond traditional single-step metrics. The authors release code and benchmarks to support reproducibility and future defense research in agentic systems.

Abstract

Large language model (LLM) agents execute tasks through multi-step workflows that combine planning, memory, and tool use. While this design enables autonomy, it also expands the attack surface for backdoor threats. Backdoor triggers injected into specific stages of an agent workflow can persist through multiple intermediate states and adversely influence downstream outputs. However, existing studies remain fragmented and typically analyze individual attack vectors in isolation, leaving the cross-stage interaction and propagation of backdoor triggers poorly understood from an agent-centric perspective. To fill this gap, we propose \textbf{BackdoorAgent}, a modular and stage-aware framework that provides a unified, agent-centric view of backdoor threats in LLM agents. BackdoorAgent structures the attack surface into three functional stages of agentic workflows, including \textbf{planning attacks}, \textbf{memory attacks}, and \textbf{tool-use attacks}, and instruments agent execution to enable systematic analysis of trigger activation and propagation across different stages. Building on this framework, we construct a standardized benchmark spanning four representative agent applications: \textbf{Agent QA}, \textbf{Agent Code}, \textbf{Agent Web}, and \textbf{Agent Drive}, covering both language-only and multimodal settings. Our empirical analysis shows that \textit{triggers implanted at a single stage can persist across multiple steps and propagate through intermediate states.} For instance, when using a GPT-based backbone, we observe trigger persistence in 43.58\% of planning attacks, 77.97\% of memory attacks, and 60.28\% of tool-stage attacks, highlighting the vulnerabilities of the agentic workflow itself to backdoor threats. To facilitate reproducibility and future research, our code and benchmark are publicly available at GitHub.

BackdoorAgent: A Unified Framework for Backdoor Attacks on LLM-based Agents

TL;DR

BackdoorAgent introduces a stage-aware framework to analyze backdoor threats in multi-step LLM agents by decomposing the attack surface into Planning, Memory, and Tools, and provides a standardized benchmark across four agent applications. It demonstrates that backdoor triggers injected at a single stage can persist and propagate through intermediate artifacts, with memory-channel backdoors showing the strongest persistence and tool-channel attacks dominating closed-loop workflows. Crucially, strong clean task performance does not guarantee robustness, highlighting the need for trajectory- and workflow-level defenses beyond traditional single-step metrics. The authors release code and benchmarks to support reproducibility and future defense research in agentic systems.

Abstract

Large language model (LLM) agents execute tasks through multi-step workflows that combine planning, memory, and tool use. While this design enables autonomy, it also expands the attack surface for backdoor threats. Backdoor triggers injected into specific stages of an agent workflow can persist through multiple intermediate states and adversely influence downstream outputs. However, existing studies remain fragmented and typically analyze individual attack vectors in isolation, leaving the cross-stage interaction and propagation of backdoor triggers poorly understood from an agent-centric perspective. To fill this gap, we propose \textbf{BackdoorAgent}, a modular and stage-aware framework that provides a unified, agent-centric view of backdoor threats in LLM agents. BackdoorAgent structures the attack surface into three functional stages of agentic workflows, including \textbf{planning attacks}, \textbf{memory attacks}, and \textbf{tool-use attacks}, and instruments agent execution to enable systematic analysis of trigger activation and propagation across different stages. Building on this framework, we construct a standardized benchmark spanning four representative agent applications: \textbf{Agent QA}, \textbf{Agent Code}, \textbf{Agent Web}, and \textbf{Agent Drive}, covering both language-only and multimodal settings. Our empirical analysis shows that \textit{triggers implanted at a single stage can persist across multiple steps and propagate through intermediate states.} For instance, when using a GPT-based backbone, we observe trigger persistence in 43.58\% of planning attacks, 77.97\% of memory attacks, and 60.28\% of tool-stage attacks, highlighting the vulnerabilities of the agentic workflow itself to backdoor threats. To facilitate reproducibility and future research, our code and benchmark are publicly available at GitHub.
Paper Structure (35 sections, 9 equations, 5 figures, 7 tables)

This paper contains 35 sections, 9 equations, 5 figures, 7 tables.

Figures (5)

  • Figure 1: Conceptual illustration of backdoor propagation within a multi-stage agent workflow. A trigger introduced in a specific module can traverse Planning, Memory, and Tool stages through iterative state updates.
  • Figure 2: BackdoorAgent Framework. BackdoorAgent exposes explicit interfaces at the planning, memory, and tool stages of an agent workflow, together with an instrumented runtime that supports configurable execution, attack injection, and trajectory logging. A benchmark layer instantiates representative agent tasks and standardized evaluation scripts on top of the framework.
  • Figure 3: Token overhead vs. trigger strength.
  • Figure 4: Average token probabilities for target vs. non-target tokens.
  • Figure 5: ROC curve of probability-based detection in agent outputs. While backdoored trajectories exhibit some detectable signal, the separation remains weak, highlighting the difficulty of directly transferring LLM defenses to agent settings.