Tool-Use Injection.

Attacks that manipulate an LLM agent's tool-calling layer — forging tool arguments, smuggling instructions through tool outputs, or coaxing the model into calling unsanctioned tools. Относится к категории Безопасность ИИ и ML в кибербезопасности.

Attacks that manipulate an LLM agent's tool-calling layer — forging tool arguments, smuggling instructions through tool outputs, or coaxing the model into calling unsanctioned tools.

Tool-use injection is the umbrella term for prompt-injection-style attacks that target function calling rather than the model's user-facing reply. Three concrete flavors recur. First, argument injection: untrusted input in the prompt steers the model into emitting tool arguments — file paths, SQL strings, recipient addresses — that perform a different action than the user intended. Second, return-value injection: the output of one tool (e.g. a web fetch) contains hidden instructions that influence the next tool call, a form of indirect prompt injection. Third, tool-choice manipulation: an attacker coerces the agent into selecting a high-privilege tool ('delete_user') when a lower-privilege one was appropriate, or invokes a tool the operator did not advertise to that user. Defenses include strict JSON-schema validation of tool arguments, structured separation between developer prompts, user input, and tool outputs (provenance tags), explicit allow-lists per session, human approval for high-impact tools, and treating any tool whose output enters the context window as an untrusted message source.

Защита от Tool-Use Injection обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Function-call injection, Tool poisoning.