English

Prompt Injection Attack to Tool Selection in LLM Agents

Cryptography and Security 2025-08-26 v3

Abstract

Tool selection is a key component of LLM agents. A popular approach follows a two-step process - \emph{retrieval} and \emph{selection} - to pick the most appropriate tool from a tool library for a given task. In this work, we introduce \textit{ToolHijacker}, a novel prompt injection attack targeting tool selection in no-box scenarios. ToolHijacker injects a malicious tool document into the tool library to manipulate the LLM agent's tool selection process, compelling it to consistently choose the attacker's malicious tool for an attacker-chosen target task. Specifically, we formulate the crafting of such tool documents as an optimization problem and propose a two-phase optimization strategy to solve it. Our extensive experimental evaluation shows that ToolHijacker is highly effective, significantly outperforming existing manual-based and automated prompt injection attacks when applied to tool selection. Moreover, we explore various defenses, including prevention-based defenses (StruQ and SecAlign) and detection-based defenses (known-answer detection, DataSentinel, perplexity detection, and perplexity windowed detection). Our experimental results indicate that these defenses are insufficient, highlighting the urgent need for developing new defense strategies.

Keywords

Cite

@article{arxiv.2504.19793,
  title  = {Prompt Injection Attack to Tool Selection in LLM Agents},
  author = {Jiawen Shi and Zenghui Yuan and Guiyao Tie and Pan Zhou and Neil Zhenqiang Gong and Lichao Sun},
  journal= {arXiv preprint arXiv:2504.19793},
  year   = {2025}
}
R2 v1 2026-06-28T23:13:46.383Z