This work addresses the vulnerability of large language model (LLM) agents to attacks such as indirect prompt injection and unauthorized tool invocation when processing untrusted external inputs. Traditional taint analysis fails in this context due to its inability to model the probabilistic, natural-language-based information flows inherent in LLMs. To overcome this limitation, the authors propose NeuroTaint, a novel framework that reconceptualizes taint propagation as a joint process encompassing semantic transformation, causal decision influence, and cross-session memory persistence—departing from conventional paradigms reliant on string matching or predefined paths. By auditing execution traces offline, NeuroTaint combines semantic similarity analysis, causal impact detection, and memory state tracking to reconstruct end-to-end information flows from untrusted sources to privileged operations. Evaluated on benchmarks including TaintBench (400 scenarios), InjecAgent, and ToolEmu, NeuroTaint significantly outperforms the FIDES baseline while maintaining low auditing overhead.

Autonomous Large Language Model (LLM) agents are increasingly deployed to conduct complex tasks by interacting with external tools, APIs, and memory stores. However, processing untrusted external data exposes these agents to severe security threats, such as indirect prompt injection and unauthorized tool execution. Securing these systems requires effective information flow tracking. Yet, traditional taint analysis that is designed for program memory states fundamentally fails when applied to LLMs, where data propagation is governed by probabilistic natural language reasoning. In this paper, we present NeuroTaint, the first comprehensive taint tracking framework tailored for the unique information flow characteristics of LLM agents. Our key insight is that taint propagation in LLM agents must be understood not only as explicit content transfer, but also as semantic transformation, causal influence on decisions, and cross-session persistence through memory. NeuroTaint therefore audits execution traces offline to reconstruct provenance from untrusted sources to privileged sinks using semantic evidence, causal reasoning, and persistent context tracking, rather than relying on exact string matches or pre-defined source-sink paths alone. Extensive evaluation using TaintBench, our 400-scenario benchmark spanning 20 real-world agent frameworks, shows that NeuroTaint substantially outperforms FIDES, an information-flow-control (IFC)-style baseline for LLM agents, in source-sink propagation detection. We further show that NeuroTaint remains effective on established agent-security benchmarks, including InjecAgent and ToolEmu, while operating offline with modest additional auditing cost.