{"id":"https://openalex.org/W7128816758","doi":"https://doi.org/10.48550/arxiv.2602.12194","title":"MalTool: Malicious Tool Attacks on LLM Agents","display_name":"MalTool: Malicious Tool Attacks on LLM Agents","publication_year":2026,"publication_date":"2026-02-12","ids":{"openalex":"https://openalex.org/W7128816758","doi":"https://doi.org/10.48550/arxiv.2602.12194"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.12194","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5012875503","display_name":"Yuepeng Hu","orcid":"https://orcid.org/0000-0001-6992-0372"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Hu, Yuepeng","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101263654","display_name":"Yuqi Jia","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jia, Yuqi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125921266","display_name":"Mengyuan Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Mengyuan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125988195","display_name":"Dawn Song","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Song, Dawn","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5125963291","display_name":"Neil Gong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gong, Neil","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5012875503"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9071999788284302,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9071999788284302,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.04010000079870224,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.010900000110268593,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7347000241279602},{"id":"https://openalex.org/keywords/correctness","display_name":"Correctness","score":0.5436000227928162},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.4724000096321106},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.39809998869895935},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.388700008392334},{"id":"https://openalex.org/keywords/upload","display_name":"Upload","score":0.38370001316070557},{"id":"https://openalex.org/keywords/commit","display_name":"Commit","score":0.36480000615119934},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.3538999855518341},{"id":"https://openalex.org/keywords/bridging","display_name":"Bridging (networking)","score":0.33250001072883606}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7567999958992004},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7347000241279602},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6395000219345093},{"id":"https://openalex.org/C55439883","wikidata":"https://www.wikidata.org/wiki/Q360812","display_name":"Correctness","level":2,"score":0.5436000227928162},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.4724000096321106},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.39809998869895935},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.388700008392334},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.38370001316070557},{"id":"https://openalex.org/C153180980","wikidata":"https://www.wikidata.org/wiki/Q19776675","display_name":"Commit","level":2,"score":0.36480000615119934},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.3538999855518341},{"id":"https://openalex.org/C174348530","wikidata":"https://www.wikidata.org/wiki/Q188635","display_name":"Bridging (networking)","level":2,"score":0.33250001072883606},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.32710000872612},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.32690000534057617},{"id":"https://openalex.org/C86844869","wikidata":"https://www.wikidata.org/wiki/Q2798820","display_name":"Hacker","level":2,"score":0.3203999996185303},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.3181999921798706},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.3181999921798706},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.31369999051094055},{"id":"https://openalex.org/C100776233","wikidata":"https://www.wikidata.org/wiki/Q2532492","display_name":"Bridge (graph theory)","level":2,"score":0.29829999804496765},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.2818000018596649},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.27480000257492065},{"id":"https://openalex.org/C141141315","wikidata":"https://www.wikidata.org/wiki/Q2379942","display_name":"Guard (computer science)","level":2,"score":0.2727999985218048},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.2703000009059906},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.26269999146461487},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.2619999945163727},{"id":"https://openalex.org/C81917197","wikidata":"https://www.wikidata.org/wiki/Q628760","display_name":"Selection (genetic algorithm)","level":2,"score":0.26089999079704285},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.25920000672340393},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.25780001282691956},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.2500999867916107}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.12194","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.12194","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.12194","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.12194","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7739890813827515,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"In":[0,80],"a":[1,8,12,16,63,101,137],"malicious":[2,9,69,94,104,132,145,177,211,215,223,253],"tool":[3,10,20,31,45,95,105],"attack,":[4],"an":[5,166,256],"attacker":[6],"uploads":[7],"to":[11,49,113,129,243],"distribution":[13],"platform;":[14],"once":[15],"user":[17],"installs":[18],"the":[19,22,30,34,51,72,89,109,118,121,175,244,252],"and":[21,37,47,57,161,179,217,240],"LLM":[23,60],"agent":[24],"selects":[25],"it":[26],"during":[27],"task":[28],"execution,":[29],"can":[32],"compromise":[33],"user's":[35],"security":[36],"privacy.":[38],"Prior":[39],"work":[40],"primarily":[41],"focuses":[42],"on":[43,108],"manipulating":[44],"names":[46],"descriptions":[48],"increase":[50],"likelihood":[52],"of":[53,93,103,120,210],"installation":[54],"by":[55,59,87,124],"users":[56],"selection":[58],"agents.":[61],"However,":[62],"successful":[64],"attack":[65],"also":[66],"requires":[67],"embedding":[68],"behaviors":[70,106,178],"in":[71],"tool's":[73],"code":[74,96],"implementation,":[75],"which":[76],"remains":[77],"largely":[78],"unexplored.":[79],"this":[81,85],"work,":[82],"we":[83,134,206],"bridge":[84],"gap":[86],"presenting":[88],"first":[90,99],"systematic":[91],"study":[92],"implementations.":[97,156],"We":[98,225],"propose":[100],"taxonomy":[102],"based":[107],"confidentiality-integrity-availability":[110],"triad,":[111],"tailored":[112,242],"LLM-agent":[114,245],"settings.":[115],"To":[116,157],"investigate":[117],"severity":[119],"risks":[122],"posed":[123],"attackers":[125],"exploiting":[126],"coding":[127,200],"LLMs":[128,201],"automatically":[130],"generate":[131],"tools,":[133,254],"develop":[135],"MalTool,":[136,205],"coding-LLM-based":[138],"framework":[139],"that":[140,169,193,228],"synthesizes":[141],"tools":[142,150,173,216,220],"exhibiting":[143],"specified":[144],"behaviors,":[146],"either":[147],"as":[148,238],"standalone":[149,214],"or":[151],"embedded":[152,222],"within":[153],"otherwise":[154],"benign":[155],"ensure":[158],"functional":[159],"correctness":[160],"structural":[162],"diversity,":[163],"MalTool":[164,194],"leverages":[165],"automated":[167],"verifier":[168],"validates":[170],"whether":[171],"generated":[172],"exhibit":[174,247],"intended":[176],"differ":[180],"sufficiently":[181],"from":[182],"prior":[183],"instances,":[184],"iteratively":[185],"refining":[186],"generations":[187],"until":[188],"success.":[189],"Our":[190],"evaluation":[191],"demonstrates":[192],"is":[195],"highly":[196],"effective":[197],"even":[198],"when":[199],"are":[202],"safety-aligned.":[203],"Using":[204],"construct":[207],"two":[208],"datasets":[209],"tools:":[212],"1,200":[213],"5,287":[218],"real-world":[219],"with":[221],"behaviors.":[224],"further":[226],"show":[227],"existing":[229],"detection":[230,235],"methods,":[231],"including":[232],"commercial":[233],"malware":[234],"approaches":[236],"such":[237],"VirusTotal":[239],"methods":[241],"setting,":[246],"limited":[248],"effectiveness":[249],"at":[250],"detecting":[251],"highlighting":[255],"urgent":[257],"need":[258],"for":[259],"new":[260],"defenses.":[261]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-14T00:00:00"}