This work addresses the critical vulnerability of high-privilege large language model (LLM) agents, which struggle to distinguish malicious instructions from legitimate guidance in external documents, thereby risking private data leakage. The paper formally introduces “document-embedded instruction attacks” and proposes a three-dimensional taxonomy encompassing linguistic obfuscation, structural confusion, and semantic abstraction. It further identifies a “semantic-security gap” between functional compliance and security awareness. Leveraging real-world README files, the authors construct the ReadSecBench benchmark and conduct end-to-end penetration tests, cross-model simulations, and user studies. Results reveal an alarming 85% success rate in data exfiltration by commercially deployed agents and a 0% user detection rate. Existing defenses fail to provide effective protection under low false-positive constraints, underscoring the severity of the “trusted executor dilemma.”

High-privilege LLM agents that autonomously process external documentation are increasingly trusted to automate tasks by reading and executing project instructions, yet they are granted terminal access, filesystem control, and outbound network connectivity with minimal security oversight. We identify and systematically measure a fundamental vulnerability in this trust model, which we term the \emph{Trusted Executor Dilemma}: agents execute documentation-embedded instructions, including adversarial ones, at high rates because they cannot distinguish malicious directives from legitimate setup guidance. This vulnerability is a structural consequence of the instruction-following design paradigm, not an implementation bug. To structure our measurement, we formalize a three-dimensional taxonomy covering linguistic disguise, structural obfuscation, and semantic abstraction, and construct \textbf{ReadSecBench}, a benchmark of 500 real-world README files enabling reproducible evaluation. Experiments on the commercially deployed computer-use agent show end-to-end exfiltration success rates up to 85\%, consistent across five programming languages and three injection positions. Cross-model evaluation on four LLM families in a simulation environment confirms that semantic compliance with injected instructions is consistent across model families. A 15-participant user study yields a 0\% detection rate across all participants, and evaluation of 12 rule-based and 6 LLM-based defenses shows neither category achieves reliable detection without unacceptable false-positive rates. Together, these results quantify a persistent \emph{Semantic-Safety Gap} between agents' functional compliance and their security awareness, establishing that documentation-embedded instruction injection is a persistent and currently unmitigated threat to high-privilege LLM agent deployments.