# MindGuard: Intrinsic Decision Inspection for Securing LLM Agents Against Metadata Poisoning

**Authors:** Zhiqiang Wang, Haohua Du, Guanquan Shi, Junyang Zhang, HaoRan Cheng, Yunhao Yao, Kaiwen Guo, Xiang-Yang Li

arXiv: 2508.20412 · 2026-01-16

## TL;DR

MindGuard introduces a decision-level security mechanism for LLM agents that uses attention-based decision graphs to detect and attribute tool poisoning attacks with high accuracy and efficiency.

## Contribution

It proposes the Decision Dependence Graph (DDG) for decision tracking and anomaly detection, a novel approach for securing LLM agents against metadata poisoning.

## Key findings

- Achieves 94-99% precision in detecting poisoned invocations
- Attains 95-100% attribution accuracy
- Operates with processing times under one second

## Abstract

The Model Context Protocol (MCP) is increasingly adopted to standardize the interaction between LLM agents and external tools. However, this trend introduces a new threat: Tool Poisoning Attacks (TPA), where tool metadata is poisoned to induce the agent to perform unauthorized operations. Existing defenses that primarily focus on behavior-level analysis are fundamentally ineffective against TPA, as poisoned tools need not be executed, leaving no behavioral trace to monitor.   Thus, we propose MindGuard, a decision-level guardrail for LLM agents, providing provenance tracking of call decisions, policy-agnostic detection, and poisoning source attribution against TPA. While fully explaining LLM decision remains challenging, our empirical findings uncover a strong correlation between LLM attention mechanisms and tool invocation decisions. Therefore, we choose attention as an empirical signal for decision tracking and formalize this as the Decision Dependence Graph (DDG), which models the LLM's reasoning process as a weighted, directed graph where vertices represent logical concepts and edges quantify the attention-based dependencies. We further design robust DDG construction and graph-based anomaly analysis mechanisms that efficiently detect and attribute TPA attacks. Extensive experiments on real-world datasets demonstrate that MindGuard achieves 94\%-99\% average precision in detecting poisoned invocations, 95\%-100\% attribution accuracy, with processing times under one second and no additional token cost. Moreover, DDG can be viewed as an adaptation of the classical Program Dependence Graph (PDG), providing a solid foundation for applying traditional security policies at the decision level.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.20412/full.md

## Figures

45 figures with captions in the complete paper: https://tomesphere.com/paper/2508.20412/full.md

## References

63 references — full list in the complete paper: https://tomesphere.com/paper/2508.20412/full.md

---
Source: https://tomesphere.com/paper/2508.20412