AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs

The integration of external data services (e.g., Model Context Protocol, MCP) has made large language model-based agents increasingly powerful for complex task execution. However, this advancement introduces critical security vulnerabilities, particularly indirect prompt injection (IPI) attacks. Existing attack methods are limited by their reliance on static patterns and evaluation on simple language models, failing to address the fast-evolving nature of modern AI agents. We introduce AdapTools, a novel adaptive IPI attack framework that selects stealthier attack tools and generates adaptive attack prompts to create a rigorous security evaluation environment. Our approach comprises two key components: (1) Adaptive Attack Strategy Construction, which develops transferable adversarial strategies for prompt optimization, and (2) Attack Enhancement, which identifies stealthy tools capable of circumventing task-relevance defenses. Comprehensive experimental evaluation shows that AdapTools achieves a 2.13 times improvement in attack success rate while degrading system utility by a factor of 1.78. Notably, the framework maintains its effectiveness even against state-of-the-art defense mechanisms. Our method advances the understanding of IPI attacks and provides a useful reference for future research.

Key Contributions

• AdapTools framework with two components: Adaptive Attack Strategy Construction (transferable adversarial prompt optimization) and Attack Enhancement (stealthy tool selection to bypass task-relevance defenses)
• Achieves 2.13x improvement in attack success rate and degrades system utility by 1.78x compared to existing IPI methods, while remaining effective against SOTA defenses
• IPI-3K benchmark for evaluating indirect prompt injection attacks on agentic LLMs with function-calling trajectories

🛡️ Threat Analysis

Details

Similar Papers