{"id":"https://openalex.org/W7154221705","doi":"https://doi.org/10.48550/arxiv.2604.11790","title":"ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection","display_name":"ClawGuard: A Runtime Security Framework for Tool-Augmented LLM Agents Against Indirect Prompt Injection","publication_year":2026,"publication_date":"2026-04-13","ids":{"openalex":"https://openalex.org/W7154221705","doi":"https://doi.org/10.48550/arxiv.2604.11790"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.11790","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.11790","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.11790","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101425693","display_name":"Wei Zhao","orcid":"https://orcid.org/0000-0002-9082-0138"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhao, Wei","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133553209","display_name":"Zhe Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zhe","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133606733","display_name":"Peixin Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Peixin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5133571054","display_name":"Jun Sun","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sun, Jun","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.7055000066757202,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.7055000066757202,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.0908999964594841,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.026900000870227814,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7376999855041504},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.5264000296592712},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.515500009059906},{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.47519999742507935},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.4555000066757202},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4320000112056732},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.38119998574256897},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.36649999022483826},{"id":"https://openalex.org/keywords/protection-mechanism","display_name":"Protection mechanism","score":0.35109999775886536},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.34790000319480896}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.840499997138977},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7376999855041504},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6333000063896179},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.5264000296592712},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.515500009059906},{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.47519999742507935},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.4555000066757202},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4320000112056732},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.38119998574256897},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.36649999022483826},{"id":"https://openalex.org/C2778717966","wikidata":"https://www.wikidata.org/wiki/Q4189076","display_name":"Protection mechanism","level":3,"score":0.35109999775886536},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.34790000319480896},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.3465999960899353},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.3310000002384186},{"id":"https://openalex.org/C183469790","wikidata":"https://www.wikidata.org/wiki/Q333501","display_name":"Crash","level":2,"score":0.32350000739097595},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.31679999828338623},{"id":"https://openalex.org/C2775928411","wikidata":"https://www.wikidata.org/wiki/Q2041312","display_name":"Fault injection","level":3,"score":0.3125},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.2976999878883362},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.29760000109672546},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.2957000136375427},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.2948000133037567},{"id":"https://openalex.org/C2777407602","wikidata":"https://www.wikidata.org/wiki/Q1888932","display_name":"Mandatory access control","level":4,"score":0.2937999963760376},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2815000116825104},{"id":"https://openalex.org/C89611455","wikidata":"https://www.wikidata.org/wiki/Q6804646","display_name":"Mechanism (biology)","level":2,"score":0.26969999074935913},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.26919999718666077},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.26910001039505005},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.2637999951839447},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.26080000400543213},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.25870001316070557},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.2533000111579895},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.25220000743865967}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.11790","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.11790","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.11790","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.11790","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure","score":0.5246533751487732}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Tool-augmented":[0],"Large":[1],"Language":[2],"Model":[3],"(LLM)":[4],"agents":[5,35],"have":[6],"demonstrated":[7],"impressive":[8],"capabilities":[9],"in":[10],"automating":[11],"complex,":[12],"multi-step":[13],"real-world":[14,83],"tasks,":[15,144],"yet":[16],"remain":[17],"vulnerable":[18],"to":[19,99],"indirect":[20,152],"prompt":[21,153],"injection.":[22],"Adversaries":[23],"exploit":[24],"this":[25],"weakness":[26],"by":[27],"embedding":[28],"malicious":[29],"instructions":[30],"within":[31],"tool-returned":[32],"content,":[33],"which":[34],"directly":[36],"incorporate":[37],"into":[38,71],"their":[39],"conversation":[40],"history":[41],"as":[42,133,135,171],"trusted":[43],"observations.":[44],"To":[45],"address":[46],"these":[47],"vulnerabilities,":[48],"we":[49],"introduce":[50],"\\textsc{ClawGuard},":[51],"a":[52,59,72],"novel":[53],"runtime":[54],"security":[55],"framework":[56],"that":[57,76,146],"enforces":[58],"user-confirmed":[60],"rule":[61],"set":[62],"at":[63,185],"every":[64],"tool-call":[65,168],"boundary,":[66],"transforming":[67],"unreliable":[68],"alignment-dependent":[69],"defense":[70,174],"deterministic,":[73],"auditable":[74],"mechanism":[75,175],"intercepts":[77],"adversarial":[78],"tool":[79,102],"calls":[80],"before":[81],"any":[82,100],"effect":[84],"is":[85,182],"produced.":[86],"By":[87],"automatically":[88],"deriving":[89],"task-specific":[90],"access":[91],"constraints":[92],"from":[93],"the":[94],"user's":[95],"stated":[96],"objective":[97],"prior":[98],"external":[101],"invocation,":[103],"\\textsc{ClawGuard}":[104,147],"blocks":[105],"all":[106],"three":[107,136],"injection":[108,124,154],"pathways":[109],"without":[110,155],"model":[111],"modification":[112],"or":[113,159],"infrastructure":[114],"change.":[115],"Experiments":[116],"across":[117],"five":[118],"state-of-the-art":[119],"language":[120],"models":[121],"on":[122],"six":[123],"benchmarks":[125,138],"covering":[126,139],"web,":[127,141],"local,":[128],"MCP,":[129],"and":[130,142],"skill":[131],"channels,":[132],"well":[134],"utility":[137,158],"OS,":[140],"code":[143],"demonstrate":[145],"achieves":[148],"robust":[149],"protection":[150],"against":[151],"compromising":[156],"agent":[157],"introducing":[160],"significant":[161],"token":[162],"overhead.":[163],"This":[164],"work":[165],"establishes":[166],"deterministic":[167],"boundary":[169],"enforcement":[170],"an":[172],"effective":[173],"for":[176],"secure":[177],"agentic":[178],"AI":[179],"systems.":[180],"Code":[181],"publicly":[183],"available":[184],"github.com/Claw-Guard/ClawGuard/.":[186]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-15T00:00:00"}