ML Security PapersAgentSentry: Mitigating Indirect Prompt Injection in LLM Agents via Temporal Causal Diagnostics and Context Purification
Tian Zhang 1, Yiwei Xu 1, Juan Wang 1, Keyan Guo 2, Xiaoyang Xu 1, Bowen Xiao 1, Quanlong Guan 3, Jinlin Fan 1, Jiawei Liu 1, Zhiquan Liu 3, Hongxin Hu 2
Published on arXiv
2602.22724
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Key Finding
AgentSentry eliminates successful IPI attacks and achieves 74.55% average Utility Under Attack, improving over the strongest baselines by 20.8–33.6 percentage points without degrading benign task performance.
AgentSentry
Novel technique introduced
Large language model (LLM) agents increasingly rely on external tools and retrieval systems to autonomously complete complex tasks. However, this design exposes agents to indirect prompt injection (IPI), where attacker-controlled context embedded in tool outputs or retrieved content silently steers agent actions away from user intent. Unlike prompt-based attacks, IPI unfolds over multi-turn trajectories, making malicious control difficult to disentangle from legitimate task execution. Existing inference-time defenses primarily rely on heuristic detection and conservative blocking of high-risk actions, which can prematurely terminate workflows or broadly suppress tool usage under ambiguous multi-turn scenarios. We propose AgentSentry, a novel inference-time detection and mitigation framework for tool-augmented LLM agents. To the best of our knowledge, AgentSentry is the first inference-time defense to model multi-turn IPI as a temporal causal takeover. It localizes takeover points via controlled counterfactual re-executions at tool-return boundaries and enables safe continuation through causally guided context purification that removes attack-induced deviations while preserving task-relevant evidence. We evaluate AgentSentry on the \textsc{AgentDojo} benchmark across four task suites, three IPI attack families, and multiple black-box LLMs. AgentSentry eliminates successful attacks and maintains strong utility under attack, achieving an average Utility Under Attack (UA) of 74.55 %, improving UA by 20.8 to 33.6 percentage points over the strongest baselines without degrading benign performance.
Key Contributions
- First inference-time defense framing multi-turn indirect prompt injection as a temporal causal takeover, with takeover localization via counterfactual re-executions at tool-return boundaries
- Causally guided context purification that removes attack-induced deviations from agent state while preserving task-relevant evidence for safe workflow continuation
- Evaluation on AgentDojo across four task suites and three IPI attack families, achieving 74.55% average Utility Under Attack — 20.8 to 33.6 percentage points above strongest baselines