Table of Contents
Fetching ...

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

Junda Lin, Zhaomeng Zhou, Zhi Zheng, Shuochen Liu, Tong Xu, Yong Chen, Enhong Chen

TL;DR

This work addresses the dual threat of indirect prompt injection in LLM agents, particularly via tool streams exploited in open environments. It introduces VIGIL, a verify-before-commit framework that grounds agent safety in intent-driven constraints, perception sanitization, speculative hypothesis generation, and rigorous verification, enabling adaptive recovery without sacrificing reasoning flexibility. The SIREN benchmark provides a unified assessment of dual-stream threats across five tool-stream vectors and data-stream bases, demonstrating that VIGIL outperforms static and dynamic defenses by significantly reducing attack success rates while maintaining or improving utility. The results show that decoupling speculative exploration from irreversible actions preserves task completion under attack, suggesting practical implications for deploying secure, capable agents in open, untrusted environments.

Abstract

LLM agents operating in open environments face escalating risks from indirect prompt injection, particularly within the tool stream where manipulated metadata and runtime feedback hijack execution flow. Existing defenses encounter a critical dilemma as advanced models prioritize injected rules due to strict alignment while static protection mechanisms sever the feedback loop required for adaptive reasoning. To reconcile this conflict, we propose \textbf{VIGIL}, a framework that shifts the paradigm from restrictive isolation to a verify-before-commit protocol. By facilitating speculative hypothesis generation and enforcing safety through intent-grounded verification, \textbf{VIGIL} preserves reasoning flexibility while ensuring robust control. We further introduce \textbf{SIREN}, a benchmark comprising 959 tool stream injection cases designed to simulate pervasive threats characterized by dynamic dependencies. Extensive experiments demonstrate that \textbf{VIGIL} outperforms state-of-the-art dynamic defenses by reducing the attack success rate by over 22\% while more than doubling the utility under attack compared to static baselines, thereby achieving an optimal balance between security and utility. Code is available at https://anonymous.4open.science/r/VIGIL-378B/.

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

TL;DR

This work addresses the dual threat of indirect prompt injection in LLM agents, particularly via tool streams exploited in open environments. It introduces VIGIL, a verify-before-commit framework that grounds agent safety in intent-driven constraints, perception sanitization, speculative hypothesis generation, and rigorous verification, enabling adaptive recovery without sacrificing reasoning flexibility. The SIREN benchmark provides a unified assessment of dual-stream threats across five tool-stream vectors and data-stream bases, demonstrating that VIGIL outperforms static and dynamic defenses by significantly reducing attack success rates while maintaining or improving utility. The results show that decoupling speculative exploration from irreversible actions preserves task completion under attack, suggesting practical implications for deploying secure, capable agents in open, untrusted environments.

Abstract

LLM agents operating in open environments face escalating risks from indirect prompt injection, particularly within the tool stream where manipulated metadata and runtime feedback hijack execution flow. Existing defenses encounter a critical dilemma as advanced models prioritize injected rules due to strict alignment while static protection mechanisms sever the feedback loop required for adaptive reasoning. To reconcile this conflict, we propose \textbf{VIGIL}, a framework that shifts the paradigm from restrictive isolation to a verify-before-commit protocol. By facilitating speculative hypothesis generation and enforcing safety through intent-grounded verification, \textbf{VIGIL} preserves reasoning flexibility while ensuring robust control. We further introduce \textbf{SIREN}, a benchmark comprising 959 tool stream injection cases designed to simulate pervasive threats characterized by dynamic dependencies. Extensive experiments demonstrate that \textbf{VIGIL} outperforms state-of-the-art dynamic defenses by reducing the attack success rate by over 22\% while more than doubling the utility under attack compared to static baselines, thereby achieving an optimal balance between security and utility. Code is available at https://anonymous.4open.science/r/VIGIL-378B/.
Paper Structure (25 sections, 2 equations, 8 figures, 5 tables)

This paper contains 25 sections, 2 equations, 8 figures, 5 tables.

Figures (8)

  • Figure 1: Illustration of two fundamental challenges in agent security. The Alignment-Driven Vulnerability shows that advanced models prioritize malicious tool rules due to strict alignment. The Static Defense Fragility demonstrates static defenses suffering severe utility collapse under uncertainty. In contrast, VIGIL employs a dynamic verify-before-commit paradigm to enable secure, adaptive recovery.
  • Figure 2: The architecture of VIGIL, which establishes a verify-before-commit paradigm to secure agentic reasoning against tool stream attacks. The framework orchestrates the Intent Anchor and Perception Sanitizer to define immutable safety boundaries while the Speculative Reasoner and Grounding Verifier collaboratively filter malicious trajectories through dynamic hypothesis testing and logic entailment checks.
  • Figure 3: Comparative analysis of Utility Under Attack (UA) versus Attack Success Rate (ASR) for Qwen3-max and Gemini-2.5-pro. Unlike baseline defenses which exhibit a clear trade-off, VIGIL consistently occupies the optimal bottom-right quadrant, indicating superior performance in both security and utility.
  • Figure 4: Sensitivity and scalability analysis of VIGIL. (a) & (b): Verification overhead converges to a constant level regardless of toolset scale, ensuring long-term efficiency via trajectory memory. (c): Robustness against increasing attack density, where the framework maintains a low ASR as utility gradually declines without collapsing.
  • Figure 5: System prompt for the Intent Anchor Intent Generator.
  • ...and 3 more figures