This work addresses the limitations of existing indirect prompt injection (IPI) attacks against tool-augmented large language models, which predominantly rely on static patterns and struggle to adapt to the dynamic evolution of agent behaviors. To overcome this, we propose AdapTools, the first framework enabling adaptive IPI attacks tailored to tool-using agents. AdapTools integrates adaptive tool selection, dynamic prompt generation, and task-context awareness to construct a more rigorous evaluation environment. Our approach transcends the constraints of static attacks, exhibits cross-model transferability, and effectively bypasses task-relevance-based defense mechanisms. Experimental results demonstrate that AdapTools improves attack success rates by 2.13× while reducing system utility by 1.78×, maintaining high efficacy even against state-of-the-art defenses.

The integration of external data services (e.g., Model Context Protocol, MCP) has made large language model-based agents increasingly powerful for complex task execution. However, this advancement introduces critical security vulnerabilities, particularly indirect prompt injection (IPI) attacks. Existing attack methods are limited by their reliance on static patterns and evaluation on simple language models, failing to address the fast-evolving nature of modern AI agents. We introduce AdapTools, a novel adaptive IPI attack framework that selects stealthier attack tools and generates adaptive attack prompts to create a rigorous security evaluation environment. Our approach comprises two key components: (1) Adaptive Attack Strategy Construction, which develops transferable adversarial strategies for prompt optimization, and (2) Attack Enhancement, which identifies stealthy tools capable of circumventing task-relevance defenses. Comprehensive experimental evaluation shows that AdapTools achieves a 2.13 times improvement in attack success rate while degrading system utility by a factor of 1.78. Notably, the framework maintains its effectiveness even against state-of-the-art defense mechanisms. Our method advances the understanding of IPI attacks and provides a useful reference for future research.