benchmark 2025

SafeToolBench: Pioneering a Prospective Benchmark to Evaluating Tool Utilization Safety in LLMs

Hongfei Xia 1, Hongru Wang 2, Zeming Liu 3, Qian Yu 3, Yuhang Guo 1, Haifeng Wang 4

1 Beijing Institute of Technology

2 The Chinese University of Hong Kong

3 Beihang University

4 Baidu

0 citations
α

Published on arXiv

2509.07315

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Existing retrospective evaluation approaches fail to capture all tool-use risks, while SafeInstructTool's nine-dimension prospective framework significantly enhances LLM safety awareness across four tested models.

SafeInstructTool

Novel technique introduced

Large Language Models (LLMs) have exhibited great performance in autonomously calling various tools in external environments, leading to better problem solving and task automation capabilities. However, these external tools also amplify potential risks such as financial loss or privacy leakage with ambiguous or malicious user instructions. Compared to previous studies, which mainly assess the safety awareness of LLMs after obtaining the tool execution results (i.e., retrospective evaluation), this paper focuses on prospective ways to assess the safety of LLM tool utilization, aiming to avoid irreversible harm caused by directly executing tools. To this end, we propose SafeToolBench, the first benchmark to comprehensively assess tool utilization security in a prospective manner, covering malicious user instructions and diverse practical toolsets. Additionally, we propose a novel framework, SafeInstructTool, which aims to enhance LLMs' awareness of tool utilization security from three perspectives (i.e., \textit{User Instruction, Tool Itself, and Joint Instruction-Tool}), leading to nine detailed dimensions in total. We experiment with four LLMs using different methods, revealing that existing approaches fail to capture all risks in tool utilization. In contrast, our framework significantly enhances LLMs' self-awareness, enabling a more safe and trustworthy tool utilization.

Key Contributions

  • SafeToolBench: first prospective benchmark with 1,200 adversarial instructions across 16 domains and 4 risk categories (Privacy Leak, Property Damage, Physical Injury, Bias & Offensiveness) to evaluate LLM tool safety before execution
  • SafeInstructTool: a nine-dimension safety framework covering User Instruction, Tool Itself, and Joint Instruction-Tool perspectives to enhance LLMs' risk awareness prior to tool execution
  • Empirical evaluation showing existing retrospective approaches miss critical tool-use risks, while SafeInstructTool significantly improves prospective safety across four LLMs

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timetargeted
Datasets
SafeToolBench (1,200 adversarial instructions, 16 domains)
Applications
llm tool useautonomous agentsfunction callingapi integration
Read PDF arXiv Code

Similar Papers

benchmark

Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents

2025 0 cit.
85%
attack

Servant, Stalker, Predator: How An Honest, Helpful, And Harmless (3H) Agent Unlocks Adversarial Skills

2025 0 cit.
85%
benchmark

MCP-SafetyBench: A Benchmark for Safety Evaluation of Large Language Models with Real-World MCP Servers

2025 4 cit.
85%
benchmark

LPS-Bench: Benchmarking Safety Awareness of Computer-Use Agents in Long-Horizon Planning under Benign and Adversarial Scenarios

2026 1 cit.
85%
attack

Takedown: How It's Done in Modern Coding Agent Exploits

2025 3 cit.
79%
defense

Tracking Capabilities for Safer Agents

2026 0 cit.
77%
defense

Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime

2026 0 cit.
77%
defense

MiniScope: A Least Privilege Framework for Authorizing Tool Calling Agents

2025 4 cit.
77%