Saved in:
Bibliographic Details
Main Authors: Li, Chaofan, Zhang, Lyuye, Zhai, Jintao, Feng, Siyue, Yang, Xichun, Wang, Huahao, Dou, Shihan, Ji, Yu, Hu, Yutao, Wu, Yueming, Liu, Yang, Zou, Deqing
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.06812
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917469785948160
author Li, Chaofan
Zhang, Lyuye
Zhai, Jintao
Feng, Siyue
Yang, Xichun
Wang, Huahao
Dou, Shihan
Ji, Yu
Hu, Yutao
Wu, Yueming
Liu, Yang
Zou, Deqing
author_facet Li, Chaofan
Zhang, Lyuye
Zhai, Jintao
Feng, Siyue
Yang, Xichun
Wang, Huahao
Dou, Shihan
Ji, Yu
Hu, Yutao
Wu, Yueming
Liu, Yang
Zou, Deqing
contents LLM-based agentic systems are rapidly evolving to perform complex autonomous tasks through dynamic tool invocation, stateful memory management, and multi-agent collaboration. However, this semantics-driven execution paradigm creates a severe semantic gap between low-level physical events and high-level execution intent, making post-hoc security auditing fundamentally difficult. Existing representation mechanisms, including static SBOMs and runtime logs, provide only fragmented evidence and fail to capture cognitive-state evolution, capability bindings, persistent memory contamination, and cascading risk propagation across interacting agents. To bridge this gap, we propose Agent-BOM, a unified structural representation for agent security auditing. Agent-BOM models an agentic system as a hierarchical attributed directed graph that separates static capability bases, such as models, tools, and long-term memory, from dynamic runtime semantic states, such as goals, reasoning trajectories, and actions. These layers are connected through semantic edges and security attributes, transforming fragmented execution traces into queryable audit paths. Building on Agent-BOM, we develop a graph-query-based paradigm for path-level risk assessment and instantiate it with the OWASP Agentic Top 10. We further implement an auditing plugin in the OpenClaw environment to construct Agent-BOM from live executions. Evaluation on representative real-world agentic attack scenarios shows that Agent-BOM can reconstruct stealthy attack chains, including cross-session memory poisoning and tool misuse, capability supply-chain hijacking and unexpected code execution, multi-agent ecosystem hijacking, and privilege and trust abuse. These results demonstrate that Agent-BOM provides a unified and auditable foundation for root-cause analysis and security adjudication in complex agentic ecosystems.
format Preprint
id arxiv_https___arxiv_org_abs_2605_06812
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Towards Security-Auditable LLM Agents: A Unified Graph Representation
Li, Chaofan
Zhang, Lyuye
Zhai, Jintao
Feng, Siyue
Yang, Xichun
Wang, Huahao
Dou, Shihan
Ji, Yu
Hu, Yutao
Wu, Yueming
Liu, Yang
Zou, Deqing
Artificial Intelligence
LLM-based agentic systems are rapidly evolving to perform complex autonomous tasks through dynamic tool invocation, stateful memory management, and multi-agent collaboration. However, this semantics-driven execution paradigm creates a severe semantic gap between low-level physical events and high-level execution intent, making post-hoc security auditing fundamentally difficult. Existing representation mechanisms, including static SBOMs and runtime logs, provide only fragmented evidence and fail to capture cognitive-state evolution, capability bindings, persistent memory contamination, and cascading risk propagation across interacting agents. To bridge this gap, we propose Agent-BOM, a unified structural representation for agent security auditing. Agent-BOM models an agentic system as a hierarchical attributed directed graph that separates static capability bases, such as models, tools, and long-term memory, from dynamic runtime semantic states, such as goals, reasoning trajectories, and actions. These layers are connected through semantic edges and security attributes, transforming fragmented execution traces into queryable audit paths. Building on Agent-BOM, we develop a graph-query-based paradigm for path-level risk assessment and instantiate it with the OWASP Agentic Top 10. We further implement an auditing plugin in the OpenClaw environment to construct Agent-BOM from live executions. Evaluation on representative real-world agentic attack scenarios shows that Agent-BOM can reconstruct stealthy attack chains, including cross-session memory poisoning and tool misuse, capability supply-chain hijacking and unexpected code execution, multi-agent ecosystem hijacking, and privilege and trust abuse. These results demonstrate that Agent-BOM provides a unified and auditable foundation for root-cause analysis and security adjudication in complex agentic ecosystems.
title Towards Security-Auditable LLM Agents: A Unified Graph Representation
topic Artificial Intelligence
url https://arxiv.org/abs/2605.06812