This work addresses the vulnerability of multi-agent large language models to indirect prompt injection attacks in dynamic tool-calling environments, where existing defenses offer limited protection. The study presents the first systematic evaluation of six defense strategies against four classes of indirect attacks and uncovers a critical precursor phenomenon: a significant rise in agent decision entropy prior to successful attacks. Building on this insight, the authors propose a proactive interception mechanism based on Representation Engineering (RepE), which constructs a circuit-breaker-style detector by extracting hidden states at tool-input positions. Experiments demonstrate that this approach achieves high-precision detection of malicious behavior across multiple large language models, substantially outperforming current methods and revealing unintended negative effects of several widely adopted mitigation techniques.

The rapid deployment of open-source frameworks has significantly advanced the development of modern multi-agent systems. However, expanded action spaces, including uncontrolled privilege exposure and hidden inter-system interactions, pose severe security challenges. Specifically, Indirect Prompt Injections (IPI), which conceal malicious instructions within third-party content, can trigger unauthorized actions such as data exfiltration during normal operations. While current security evaluations predominantly rely on isolated single-turn benchmarks, the systemic vulnerabilities of these agents within complex dynamic environments remain critically underexplored. To bridge this gap, we systematically evaluate six defense strategies against four sophisticated IPI attack vectors across nine LLM backbones. Crucially, we conduct our evaluation entirely within dynamic multi-step tool-calling environments to capture the true attack surface of modern autonomous agents. Moving beyond binary success rates, our multidimensional analysis reveals a pronounced fragility. Advanced injections successfully bypass nearly all baseline defenses, and some surface-level mitigations even produce counterproductive side effects. Furthermore, while agents execute malicious instructions almost instantaneously, their internal states exhibit abnormally high decision entropy. Motivated by this latent hesitation, we investigate Representation Engineering (RepE) as a robust detection strategy. By extracting hidden states at the tool-input position, we revealed that the RepE-based circuit breaker successfully identifies and intercepts unauthorized actions before the agent commits to them, achieving high detection accuracy across diverse LLM backbones. This study exposes the limitations of current IPI defenses and provides a highly practical paradigm for building resilient multi-agent architectures.