LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, store it, and execute it later. In this multi-step trojan attack paradigm, no individual step appears malicious on its own, but these steps can collectively turn untrusted text into persistent control content. However, existing defenses often inspect each step in isolation. As a result, they can block a clear harmful action, but fail to detect the earlier write operation that plants the backdoor. To reveal this threat, we introduce ClawTrojan, a benchmark designed to identify multi-step trojan attacks in local agentic harnesses. In an OpenClaw-style simulated workspace with GPT-5.4, ClawTrojan reaches a 95.5% attack success rate (ASR), while existing single-turn prompt-injection attacks produce near-zero ASR on the same model. To address this threat, we propose DASGuard, which scans control-like text in sensitive local files, traces its origin, and removes control content that does not originate from a trusted source. Our results show that DASGuard achieves strong dynamic defense by combining runtime attack blocking with sanitized commits to the workspace.</p>\n","updatedAt":"2026-06-01T02:21:28.161Z","author":{"_id":"62e52483a944e2a56cd2c6ca","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/62e52483a944e2a56cd2c6ca/xElM_6teIrP3QI-Run0Bl.jpeg","fullname":"Jiejun Tan","name":"zstanjj","type":"user","isPro":false,"isHf":false,"isHfAdmin":false,"isMod":false,"followerCount":23,"isUserFollowing":false}},"numEdits":0,"identifiedLanguage":{"language":"en","probability":0.8970116376876831},"editors":["zstanjj"],"editorAvatarUrls":["https://cdn-avatars.huggingface.co/v1/production/uploads/62e52483a944e2a56cd2c6ca/xElM_6teIrP3QI-Run0Bl.jpeg"],"reactions":[],"isReport":false}}],"primaryEmailConfirmed":false,"paper":{"id":"2605.31042","authors":[{"_id":"6a1cebfc808ddbc3c7d4341f","name":"Jiejun Tan","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43420","name":"Zhicheng Dou","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43421","name":"Xinyu Yang","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43422","user":{"_id":"6544b9b646dbdeca34ee5f52","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/6544b9b646dbdeca34ee5f52/nRx6m1C4wfZ_xSWoBUNJf.png","isPro":false,"fullname":"Yuyang Hu","user":"namespace-ERI","type":"user","name":"namespace-ERI"},"name":"Yuyang Hu","status":"claimed_verified","statusLastChangedAt":"2026-06-01T09:33:31.721Z","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43423","name":"Yiruo Cheng","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43424","name":"Xiaoxi Li","hidden":false},{"_id":"6a1cebfc808ddbc3c7d43425","name":"Ji-Rong Wen","hidden":false}],"publishedAt":"2026-05-29T00:00:00.000Z","submittedOnDailyAt":"2026-06-01T00:00:00.000Z","title":"From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors","submittedOnDailyBy":{"_id":"62e52483a944e2a56cd2c6ca","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/62e52483a944e2a56cd2c6ca/xElM_6teIrP3QI-Run0Bl.jpeg","isPro":false,"fullname":"Jiejun Tan","user":"zstanjj","type":"user","name":"zstanjj"},"summary":"LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, store it, and execute it later. In this multi-step trojan attack paradigm, no individual step appears malicious on its own, but these steps can collectively turn untrusted text into persistent control content. However, existing defenses often inspect each step in isolation. As a result, they can block a clear harmful action, but fail to detect the earlier write operation that plants the backdoor. To reveal this threat, we introduce ClawTrojan, a benchmark designed to identify multi-step trojan attacks in local agentic harnesses. In an OpenClaw-style simulated workspace with GPT-5.4, ClawTrojan reaches a 95.5% attack success rate (ASR), while existing single-turn prompt-injection attacks produce near-zero ASR on the same model. To address this threat, we propose DASGuard, which scans control-like text in sensitive local files, traces its origin, and removes control content that does not originate from a trusted source. Our results show that DASGuard achieves strong dynamic defense by combining runtime attack blocking with sanitized commits to the workspace.","upvotes":13,"discussionId":"6a1cebfd808ddbc3c7d43426","githubRepo":"https://github.com/RUC-NLPIR/ClawTrojan","githubRepoAddedBy":"user","ai_summary":"Multi-step trojan attacks in local LLM agents can bypass existing defenses by embedding malicious prompts across multiple operations, requiring new detection methods like DASGuard for effective protection.","ai_keywords":["LLM agents","prompt injection","multi-step trojan attack","OpenClaw","DASGuard","runtime attack blocking","sanitized commits"],"githubStars":1},"canReadDatabase":false,"canManagePapers":false,"canSubmit":false,"hasHfLevelAccess":false,"upvoted":false,"upvoters":[{"_id":"62e52483a944e2a56cd2c6ca","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/62e52483a944e2a56cd2c6ca/xElM_6teIrP3QI-Run0Bl.jpeg","isPro":false,"fullname":"Jiejun Tan","user":"zstanjj","type":"user"},{"_id":"6695f14df0ffd8e3a379ad61","avatarUrl":"/avatars/5ebb7e55ee9c2d93850b279f440675b0.svg","isPro":false,"fullname":"Jiajie Jin","user":"jinjiajie","type":"user"},{"_id":"66e03eace17fb5ff054b7686","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/66e03eace17fb5ff054b7686/PpSV0Qo5lwTyxIZMp57xq.jpeg","isPro":false,"fullname":"Xiaoxi Li","user":"lixiaoxi45","type":"user"},{"_id":"6544b9b646dbdeca34ee5f52","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/6544b9b646dbdeca34ee5f52/nRx6m1C4wfZ_xSWoBUNJf.png","isPro":false,"fullname":"Yuyang Hu","user":"namespace-ERI","type":"user"},{"_id":"61cd4b833dd34ba1985e0753","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/61cd4b833dd34ba1985e0753/BfHfrwotoMESpXZOHiIe4.png","isPro":false,"fullname":"KABI","user":"dongguanting","type":"user"},{"_id":"654c99d6e82a71cb487c2ecd","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/654c99d6e82a71cb487c2ecd/hiMMOyh-3bAUaqnBM5yT4.jpeg","isPro":false,"fullname":"ChenlongDeng","user":"ChenlongDeng","type":"user"},{"_id":"64bdfa1a1a62149c5e80ef6f","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/no-auth/Wjc9gPFzlARBkdoTAOZm8.png","isPro":false,"fullname":"Yuyao Zhang","user":"KeriaZhang","type":"user"},{"_id":"65db23d1f386d08eb0d1cec5","avatarUrl":"/avatars/b495ec5b35b15fea245ef490b83d1856.svg","isPro":false,"fullname":"Mengjie Deng","user":"MengjieDeng","type":"user"},{"_id":"65082d1dffc738079cabdbae","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/65082d1dffc738079cabdbae/2qo2GdEGpcoGsKGMesKsb.jpeg","isPro":false,"fullname":"XXHStudyHard","user":"XXHStudyHard","type":"user"},{"_id":"68b5519d3fc50b2407fbe089","avatarUrl":"/avatars/ef166a8d9bd2cea5f0c82c517d631776.svg","isPro":false,"fullname":"mymymynameisisislry","user":"mymymynameisisislry","type":"user"},{"_id":"67a2db84756328af7d0b0ae7","avatarUrl":"https://cdn-avatars.huggingface.co/v1/production/uploads/67a2db84756328af7d0b0ae7/WlurtnmY59Mxe1B7VrTxu.jpeg","isPro":false,"fullname":"Jincheng Feng","user":"JinchengFeng","type":"user"},{"_id":"6722fe4a43b00f3c889aead4","avatarUrl":"/avatars/cbb57f517c37c72642b80dd538271238.svg","isPro":false,"fullname":"Xinyu Yang","user":"yxy919","type":"user"}],"acceptLanguages":["en"],"dailyPaperRank":0,"markdownContentUrl":"https://huggingface.co/buckets/huggingchat/papers-content/resolve/2605/2605.31042.md"}">
From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors
Abstract
Multi-step trojan attacks in local LLM agents can bypass existing defenses by embedding malicious prompts across multiple operations, requiring new detection methods like DASGuard for effective protection.
AI-generated summary
LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, store it, and execute it later. In this multi-step trojan attack paradigm, no individual step appears malicious on its own, but these steps can collectively turn untrusted text into persistent control content. However, existing defenses often inspect each step in isolation. As a result, they can block a clear harmful action, but fail to detect the earlier write operation that plants the backdoor. To reveal this threat, we introduce ClawTrojan, a benchmark designed to identify multi-step trojan attacks in local agentic harnesses. In an OpenClaw-style simulated workspace with GPT-5.4, ClawTrojan reaches a 95.5% attack success rate (ASR), while existing single-turn prompt-injection attacks produce near-zero ASR on the same model. To address this threat, we propose DASGuard, which scans control-like text in sensitive local files, traces its origin, and removes control content that does not originate from a trusted source. Our results show that DASGuard achieves strong dynamic defense by combining runtime attack blocking with sanitized commits to the workspace.
Community
LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, store it, and execute it later. In this multi-step trojan attack paradigm, no individual step appears malicious on its own, but these steps can collectively turn untrusted text into persistent control content. However, existing defenses often inspect each step in isolation. As a result, they can block a clear harmful action, but fail to detect the earlier write operation that plants the backdoor. To reveal this threat, we introduce ClawTrojan, a benchmark designed to identify multi-step trojan attacks in local agentic harnesses. In an OpenClaw-style simulated workspace with GPT-5.4, ClawTrojan reaches a 95.5% attack success rate (ASR), while existing single-turn prompt-injection attacks produce near-zero ASR on the same model. To address this threat, we propose DASGuard, which scans control-like text in sensitive local files, traces its origin, and removes control content that does not originate from a trusted source. Our results show that DASGuard achieves strong dynamic defense by combining runtime attack blocking with sanitized commits to the workspace.
Upload images, audio, and videos by dragging in the text input, pasting, or clicking here.
Tap or paste here to upload images
Cite arxiv.org/abs/2605.31042 in a model README.md to link it from this page.
Cite arxiv.org/abs/2605.31042 in a Space README.md to link it from this page.
Discussion (0)
Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.
Sign in →No comments yet. Sign in and be the first to say something.