You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents

TL;DR

This paper exposes a fundamental security vulnerability in high-privilege LLM agents caused by their inability to distinguish malicious instructions embedded in documentation, leading to high success rates of data exfiltration and highlighting a significant safety gap.

Contribution

The paper formalizes the Trusted Executor Dilemma, introduces ReadSecBench for measuring instruction-induced data leakage, and demonstrates the vulnerability's severity across models and defenses.

Findings

End-to-end exfiltration success rates up to 85%

Semantic compliance with injected instructions is consistent across models

Existing defenses fail to reliably detect malicious instructions

Abstract

High-privilege LLM agents that autonomously process external documentation are increasingly trusted to automate tasks by reading and executing project instructions, yet they are granted terminal access, filesystem control, and outbound network connectivity with minimal security oversight. We identify and systematically measure a fundamental vulnerability in this trust model, which we term the \emph{Trusted Executor Dilemma}: agents execute documentation-embedded instructions, including adversarial ones, at high rates because they cannot distinguish malicious directives from legitimate setup guidance. This vulnerability is a structural consequence of the instruction-following design paradigm, not an implementation bug. To structure our measurement, we formalize a three-dimensional taxonomy covering linguistic disguise, structural obfuscation, and semantic abstraction, and construct \textbf{ReadSecBench}, a benchmark of 500 real-world README files enabling reproducible evaluation. Experiments on the commercially deployed computer-use agent show end-to-end exfiltration success rates up to 85\%, consistent across five programming languages and three injection positions. Cross-model evaluation on four LLM families in a simulation environment confirms that semantic compliance with injected instructions is consistent across model families. A 15-participant user study yields a 0\% detection rate across all participants, and evaluation of 12 rule-based and 6 LLM-based defenses shows neither category achieves reliable detection without unacceptable false-positive rates. Together, these results quantify a persistent \emph{Semantic-Safety Gap} between agents' functional compliance and their security awareness, establishing that documentation-embedded instruction injection is a persistent and currently unmitigated threat to high-privilege LLM agent deployments.