From Prompt Injections to Protocol Exploits: Threats in LLM-Powered AI Agents Workflows

TL;DR

This paper presents a comprehensive threat model for LLM-powered AI agents, categorizing over thirty attack techniques and proposing mitigation strategies to enhance security in complex, multi-agent workflows.

Contribution

It introduces the first integrated taxonomy linking input exploits and protocol vulnerabilities in LLM-agent ecosystems, with formal threat formulations and mitigation guidance.

Findings

Identified over thirty attack techniques across different system layers.

Validated the threat model through expert review and real-world incident mapping.

Reviewed existing defenses and proposed mitigation strategies.

Abstract

Autonomous AI agents powered by large language models (LLMs) with structured function-calling interfaces enable real-time data retrieval, computation, and multi-step orchestration. However, the rapid growth of plugins, connectors, and inter-agent protocols has outpaced security practices, leading to brittle integrations that rely on ad-hoc authentication, inconsistent schemas, and weak validation. This survey introduces a unified end-to-end threat model for LLM-agent ecosystems, covering host-to-tool and agent-to-agent communications. We systematically categorize more than thirty attack techniques spanning input manipulation, model compromise, system and privacy attacks, and protocol-level vulnerabilities. For each category, we provide a formal threat formulation defining attacker capabilities, objectives, and affected system layers. Representative examples include Prompt-to-SQL injections and the Toxic Agent Flow exploit in GitHub MCP servers. We analyze attack feasibility, review existing defenses, and discuss mitigation strategies such as dynamic trust management, cryptographic provenance tracking, and sandboxed agent interfaces. The framework is validated through expert review and cross-mapping with real-world incidents and public vulnerability repositories, including CVE and NIST NVD. Compared to prior surveys, this work presents the first integrated taxonomy bridging input-level exploits and protocol-layer vulnerabilities in LLM-agent ecosystems, offering actionable guidance for designing secure and resilient agentic AI systems.