Think Twice Before You Act: Protecting LLM Agents Against Tool Description Poisoning via Isolated Planning

πŸ“… 2026-06-18
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This work addresses the vulnerability of large language model (LLM) agents to cross-tool description poisoning attacks, wherein adversaries manipulate tool metadata to mislead agent decision-making with persistent effects. To counter this threat, the authors propose Tool-Guard, a lightweight defense system that introduces the novel concept of β€œisolated planning.” Tool-Guard dynamically monitors agent behavior at runtime to detect suspicious tools and isolates their descriptions in a dedicated list, thereby preventing poisoned context from influencing subsequent planning steps while preserving the functional availability of the tools themselves. Evaluated on the AgentDojo and ASB benchmarks, Tool-Guard significantly reduces attack success rates without compromising task completion performance, demonstrating an effective and practical defense against tool description poisoning.
πŸ“ Abstract
The integration of external tools has substantially expanded the capabilities of large language model (LLM) agents, but it also introduces new attack surfaces beyond prompt injection. In particular, cross-tool description poisoning can manipulate planner-visible tool metadata to steer an agent's trajectory, even if the poisoned tool itself is never chosen. To understand the effectiveness of existing defenses against this emerging threat, we first evaluate several prompt-injection defenses and find that they transfer poorly to cross-tool description poisoning. A key observation is that poisoned descriptions persist in the planning context across steps, enabling continuous influence over subsequent tool choices. Building on this insight, we propose Tool-Guard, a novel system-level defense based on a new concept called isolated planning, in which tool invocations that are detected as misaligned or suspicious cause the corresponding tool to be placed in a quarantined list (the influenced list), breaking further influence from poisoned descriptions. With this influence isolated, the tool can continue to be used to support the task, enabling a robust defense that preserves legitimate tool utility. Experiments on the AgentDojo and ASB benchmarks show that Tool-Guard substantially reduces attack success while maintaining high task utility. Our code is available at https://github.com/shishishi123/Tool-Guard.
Problem

Research questions and friction points this paper is trying to address.

tool description poisoning
LLM agents
planning context
attack surface
metadata manipulation
Innovation

Methods, ideas, or system contributions that make the work stand out.

tool description poisoning
isolated planning
LLM agents
Tool-Guard
system-level defense
πŸ”Ž Similar Papers