Saved in:
Bibliographic Details
Main Authors: Yu, Qiang, Cheng, Xinran, Liu, Chuanyi
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.04795
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908753470685184
author Yu, Qiang
Cheng, Xinran
Liu, Chuanyi
author_facet Yu, Qiang
Cheng, Xinran
Liu, Chuanyi
contents As LLM agents transition from digital assistants to physical controllers in autonomous systems and robotics, they face an escalating threat from indirect prompt injection. By embedding adversarial instructions into the results of tool calls, attackers can hijack the agent's decision-making process to execute unauthorized actions. This vulnerability poses a significant risk as agents gain more direct control over physical environments. Existing defense mechanisms against Indirect Prompt Injection (IPI) generally fall into two categories. The first involves training dedicated detection models; however, this approach entails high computational overhead for both training and inference, and requires frequent updates to keep pace with evolving attack vectors. Alternatively, prompt-based methods leverage the inherent capabilities of LLMs to detect or ignore malicious instructions via prompt engineering. Despite their flexibility, most current prompt-based defenses suffer from high Attack Success Rates (ASR), demonstrating limited robustness against sophisticated injection attacks. In this paper, we propose a novel method that provides LLMs with precise data via tool result parsing while effectively filtering out injected malicious code. Our approach achieves competitive Utility under Attack (UA) while maintaining the lowest Attack Success Rate (ASR) to date, significantly outperforming existing methods. Code is available at GitHub.
format Preprint
id arxiv_https___arxiv_org_abs_2601_04795
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Defense Against Indirect Prompt Injection via Tool Result Parsing
Yu, Qiang
Cheng, Xinran
Liu, Chuanyi
Artificial Intelligence
Computation and Language
Cryptography and Security
Multiagent Systems
68T42
I.2.m
As LLM agents transition from digital assistants to physical controllers in autonomous systems and robotics, they face an escalating threat from indirect prompt injection. By embedding adversarial instructions into the results of tool calls, attackers can hijack the agent's decision-making process to execute unauthorized actions. This vulnerability poses a significant risk as agents gain more direct control over physical environments. Existing defense mechanisms against Indirect Prompt Injection (IPI) generally fall into two categories. The first involves training dedicated detection models; however, this approach entails high computational overhead for both training and inference, and requires frequent updates to keep pace with evolving attack vectors. Alternatively, prompt-based methods leverage the inherent capabilities of LLMs to detect or ignore malicious instructions via prompt engineering. Despite their flexibility, most current prompt-based defenses suffer from high Attack Success Rates (ASR), demonstrating limited robustness against sophisticated injection attacks. In this paper, we propose a novel method that provides LLMs with precise data via tool result parsing while effectively filtering out injected malicious code. Our approach achieves competitive Utility under Attack (UA) while maintaining the lowest Attack Success Rate (ASR) to date, significantly outperforming existing methods. Code is available at GitHub.
title Defense Against Indirect Prompt Injection via Tool Result Parsing
topic Artificial Intelligence
Computation and Language
Cryptography and Security
Multiagent Systems
68T42
I.2.m
url https://arxiv.org/abs/2601.04795