AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs

TL;DR

AdapTools is a new adaptive attack framework that significantly improves the success rate of indirect prompt injection attacks on AI agents by selecting stealthier tools and generating adaptive prompts, even against defenses.

Contribution

It introduces an adaptive attack framework with transferable strategies and stealthy tools, advancing security evaluation of modern AI agents against prompt injection vulnerabilities.

Findings

Achieves 2.13x higher attack success rate

Degrades system utility by 1.78x

Remains effective against state-of-the-art defenses

Abstract

The integration of external data services (e.g., Model Context Protocol, MCP) has made large language model-based agents increasingly powerful for complex task execution. However, this advancement introduces critical security vulnerabilities, particularly indirect prompt injection (IPI) attacks. Existing attack methods are limited by their reliance on static patterns and evaluation on simple language models, failing to address the fast-evolving nature of modern AI agents. We introduce AdapTools, a novel adaptive IPI attack framework that selects stealthier attack tools and generates adaptive attack prompts to create a rigorous security evaluation environment. Our approach comprises two key components: (1) Adaptive Attack Strategy Construction, which develops transferable adversarial strategies for prompt optimization, and (2) Attack Enhancement, which identifies stealthy tools capable of circumventing task-relevance defenses. Comprehensive experimental evaluation shows that AdapTools achieves a 2.13 times improvement in attack success rate while degrading system utility by a factor of 1.78. Notably, the framework maintains its effectiveness even against state-of-the-art defense mechanisms. Our method advances the understanding of IPI attacks and provides a useful reference for future research.