defense 2026

ToolSafe: Enhancing Tool Invocation Safety of LLM-based agents via Proactive Step-level Guardrail and Feedback

Yutao Mou 1,2, Zhangchi Xue 1, Lijun Li 2, Peiyang Liu 1, Shikun Zhang 1, Wei Ye 1, Jing Shao 2

1 Peking University

2 Shanghai Artificial Intelligence Laboratory

2 citations · 39 references · arXiv
α

Published on arXiv

2601.10156

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

TS-Flow reduces harmful tool invocations by 65% on average while improving benign task completion by ~10% under prompt injection attacks on ReAct-style agents.

TS-Guard / TS-Flow

Novel technique introduced

While LLM-based agents can interact with environments via invoking external tools, their expanded capabilities also amplify security risks. Monitoring step-level tool invocation behaviors in real time and proactively intervening before unsafe execution is critical for agent deployment, yet remains under-explored. In this work, we first construct TS-Bench, a novel benchmark for step-level tool invocation safety detection in LLM agents. We then develop a guardrail model, TS-Guard, using multi-task reinforcement learning. The model proactively detects unsafe tool invocation actions before execution by reasoning over the interaction history. It assesses request harmfulness and action-attack correlations, producing interpretable and generalizable safety judgments and feedback. Furthermore, we introduce TS-Flow, a guardrail-feedback-driven reasoning framework for LLM agents, which reduces harmful tool invocations of ReAct-style agents by 65 percent on average and improves benign task completion by approximately 10 percent under prompt injection attacks.

Key Contributions

  • TS-Bench: first benchmark for step-level tool invocation safety detection covering malicious requests and prompt injection scenarios
  • TS-Guard: multi-task RL-trained guardrail model that assesses request harmfulness and action–attack correlations before tool execution
  • TS-Flow: guardrail-feedback-driven reasoning framework that reduces harmful tool invocations by 65% and improves benign task completion by ~10% under prompt injection attacks

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Datasets
TS-Bench
Applications
llm agentsreact-style agentstool-calling agents
Read PDF arXiv DOI

Similar Papers

defense

Introducing the Generative Application Firewall (GAF)

2026 0 cit.
100%
defense

Securing the Model Context Protocol: Defending LLMs Against Tool Poisoning and Adversarial Attacks

2025 5 cit.
100%
defense

VIGIL: Defending LLM Agents Against Tool Stream Injection via Verify-Before-Commit

2026 1 cit.
100%
defense

AgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification

2026 0 cit.
100%
defense

Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents

2026 0 cit.
100%
defense

MCP-Guard: A Multi-Stage Defense-in-Depth Framework for Securing Model Context Protocol in Agentic AI

2025 0 cit.
92%
defense

Quantifying Conversation Drift in MCP via Latent Polytope

2025 0 cit.
92%
defense

Defense Against Indirect Prompt Injection via Tool Result Parsing

2026 3 cit.
92%