{"id":"https://openalex.org/W7151811117","doi":"https://doi.org/10.48550/arxiv.2604.05432","title":"Your LLM Agent Can Leak Your Data: Data Exfiltration via Backdoored Tool Use","display_name":"Your LLM Agent Can Leak Your Data: Data Exfiltration via Backdoored Tool Use","publication_year":2026,"publication_date":"2026-04-07","ids":{"openalex":"https://openalex.org/W7151811117","doi":"https://doi.org/10.48550/arxiv.2604.05432"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.05432","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.05432","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.05432","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5133157756","display_name":"Wuyang Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Wuyang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5034495880","display_name":"Shichao Pei","orcid":"https://orcid.org/0000-0002-0802-1506"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pei, Shichao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.31060001254081726,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.31060001254081726,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.13850000500679016,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.04010000079870224,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.6262000203132629},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.5627999901771545},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4648999869823456},{"id":"https://openalex.org/keywords/data-access","display_name":"Data access","score":0.41830000281333923},{"id":"https://openalex.org/keywords/leak","display_name":"Leak","score":0.3962000012397766},{"id":"https://openalex.org/keywords/data-retrieval","display_name":"Data retrieval","score":0.36629998683929443},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.3416000008583069}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7134000062942505},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.6262000203132629},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.5627999901771545},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4648999869823456},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4185999929904938},{"id":"https://openalex.org/C47487241","wikidata":"https://www.wikidata.org/wiki/Q5227230","display_name":"Data access","level":2,"score":0.41830000281333923},{"id":"https://openalex.org/C2780378346","wikidata":"https://www.wikidata.org/wiki/Q1349983","display_name":"Leak","level":2,"score":0.3962000012397766},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.3950999975204468},{"id":"https://openalex.org/C551230270","wikidata":"https://www.wikidata.org/wiki/Q4368942","display_name":"Data retrieval","level":2,"score":0.36629998683929443},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.3416000008583069},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.32839998602867126},{"id":"https://openalex.org/C2777042071","wikidata":"https://www.wikidata.org/wiki/Q6509304","display_name":"Leakage (economics)","level":2,"score":0.3116999864578247},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.2962000072002411},{"id":"https://openalex.org/C2779201187","wikidata":"https://www.wikidata.org/wiki/Q2775060","display_name":"Information leakage","level":2,"score":0.290800005197525},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.2777000069618225},{"id":"https://openalex.org/C90312973","wikidata":"https://www.wikidata.org/wiki/Q7449052","display_name":"Semantic data model","level":2,"score":0.2718000113964081}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.05432","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.05432","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.05432","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.05432","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.5273762345314026,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Tool-use":[0],"large":[1],"language":[2],"model":[3],"(LLM)":[4],"agents":[5,41,126],"are":[6],"increasingly":[7],"deployed":[8],"to":[9,71],"support":[10],"sensitive":[11],"workflows,":[12],"relying":[13],"on":[14],"tool":[15,69,82,128],"calls":[16,70],"for":[17,134],"retrieval,":[18],"external":[19],"API":[20],"access,":[21],"and":[22,76,106,111,130],"session":[23],"memory":[24],"management.":[25],"While":[26],"prior":[27],"research":[28],"has":[29],"examined":[30],"various":[31],"threats,":[32],"the":[33,64,91,132],"risk":[34],"of":[35,93],"systematic":[36],"data":[37,51,94],"exfiltration":[38,52],"by":[39],"backdoored":[40,65],"remains":[42],"underexplored.":[43],"In":[44],"this":[45],"work,":[46],"we":[47],"present":[48],"Back-Reveal,":[49],"a":[50,121],"attack":[53],"that":[54,87],"embeds":[55],"semantic":[56],"triggers":[57],"into":[58],"fine-tuned":[59],"LLM":[60,125],"agents.":[61],"When":[62],"triggered,":[63],"agent":[66,104],"invokes":[67],"memory-access":[68],"retrieve":[72],"stored":[73],"user":[74,107],"context":[75],"exfiltrates":[77],"it":[78],"via":[79],"disguised":[80],"retrieval":[81,98],"calls.":[83],"We":[84],"further":[85],"demonstrate":[86],"multi-turn":[88],"interaction":[89],"amplifies":[90],"impact":[92],"exfiltration,":[95],"as":[96],"attacker-controlled":[97],"responses":[99],"can":[100],"subtly":[101],"steer":[102],"subsequent":[103],"behavior":[105],"interactions,":[108],"enabling":[109],"sustained":[110],"cumulative":[112],"information":[113],"leakage":[114],"over":[115],"time.":[116],"Our":[117],"experimental":[118],"results":[119],"expose":[120],"critical":[122],"vulnerability":[123],"in":[124],"with":[127],"access":[129],"highlight":[131],"need":[133],"defenses":[135],"against":[136],"exfiltration-oriented":[137],"backdoors.":[138]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-09T00:00:00"}