David vs. Goliath: Verifiable Agent-to-Agent Jailbreaking via Reinforcement Learning

TL;DR

This paper introduces a formal threat model called Tag-Along Attacks for autonomous language model agents and presents Slingshot, a reinforcement learning framework that autonomously discovers effective, transferable jailbreaking attack vectors.

Contribution

The paper formalizes Tag-Along Attacks as a verifiable threat model and develops Slingshot, a reinforcement learning method that autonomously finds transferable agent jailbreaking strategies.

Findings

Slingshot achieves 67% success rate against a strong language model operator.

Attacks transfer zero-shot to various models, including closed-source and fine-tuned open models.

Learned attacks tend to be short, instruction-like patterns rather than multi-turn persuasion.

Abstract

The evolution of large language models into autonomous agents introduces adversarial failures that exploit legitimate tool privileges, transforming safety evaluation in tool-augmented environments from a subjective NLP task into an objective control problem. We formalize this threat model as Tag-Along Attacks: a scenario where a tool-less adversary "tags along" on the trusted privileges of a safety-aligned Operator to induce prohibited tool use through conversation alone. To validate this threat, we present Slingshot, a 'cold-start' reinforcement learning framework that autonomously discovers emergent attack vectors, revealing a critical insight: in our setting, learned attacks tend to converge to short, instruction-like syntactic patterns rather than multi-turn persuasion. On held-out extreme-difficulty tasks, Slingshot achieves a 67.0% success rate against a Qwen2.5-32B-Instruct-AWQ Operator (vs. 1.7% baseline), reducing the expected attempts to first success (on solved tasks) from 52.3 to 1.3. Crucially, Slingshot transfers zero-shot to several model families, including closed-source models like Gemini 2.5 Flash (56.0% attack success rate) and defensive-fine-tuned open-source models like Meta-SecAlign-8B (39.2% attack success rate). Our work establishes Tag-Along Attacks as a first-class, verifiable threat model and shows that effective agentic attacks can be elicited from off-the-shelf open-weight models through environment interaction alone.