Imprompter: Tricking LLM Agents into Improper Tool Use

TL;DR

This paper reveals security vulnerabilities in LLM-based agents by demonstrating automatic prompt attacks that can exfiltrate sensitive data, highlighting the need for improved safeguards in these emerging systems.

Contribution

It introduces a novel class of automatic adversarial prompt attacks targeting LLM agents, demonstrating their effectiveness across multiple platforms and modalities.

Findings

Attacks achieve nearly 80% success rate in data exfiltration.

Attacks transfer effectively to production-level agents.

Multimodal attacks work in both text-only and image domains.

Abstract

Large Language Model (LLM) Agents are an emerging computing paradigm that blends generative machine learning with tools such as code interpreters, web browsing, email, and more generally, external resources. These agent-based systems represent an emerging shift in personal computing. We contribute to the security foundations of agent-based systems and surface a new class of automatically computed obfuscated adversarial prompt attacks that violate the confidentiality and integrity of user resources connected to an LLM agent. We show how prompt optimization techniques can find such prompts automatically given the weights of a model. We demonstrate that such attacks transfer to production-level agents. For example, we show an information exfiltration attack on Mistral's LeChat agent that analyzes a user's conversation, picks out personally identifiable information, and formats it into a valid markdown command that results in leaking that data to the attacker's server. This attack shows a nearly 80% success rate in an end-to-end evaluation. We conduct a range of experiments to characterize the efficacy of these attacks and find that they reliably work on emerging agent-based systems like Mistral's LeChat, ChatGLM, and Meta's Llama. These attacks are multimodal, and we show variants in the text-only and image domains.