{"id":"https://openalex.org/W7161681165","doi":"https://doi.org/10.48550/arxiv.2605.17324","title":"ASPI: Seeking Ambiguity Clarification Amplifies Prompt Injection Vulnerability in LLM Agents","display_name":"ASPI: Seeking Ambiguity Clarification Amplifies Prompt Injection Vulnerability in LLM Agents","publication_year":2026,"publication_date":"2026-05-17","ids":{"openalex":"https://openalex.org/W7161681165","doi":"https://doi.org/10.48550/arxiv.2605.17324"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.17324","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17324","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.17324","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136504475","display_name":"Udari Madhushani Sehwag","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sehwag, Udari Madhushani","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040865271","display_name":"Zhengyang Shan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Shan, Zhengyang","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136472368","display_name":"Heming Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Heming","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136501303","display_name":"Dileepa Lakshan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lakshan, Dileepa","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136480994","display_name":"Joseph Brandifino","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Brandifino, Joseph","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5136490034","display_name":"Max Fenkell","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fenkell, Max","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6783000230789185,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6783000230789185,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.07079999893903732,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.07029999792575836,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ambiguity","display_name":"Ambiguity","score":0.8252000212669373},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.7020999789237976},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.6342999935150146},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5795000195503235},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.4496000111103058},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4032000005245209},{"id":"https://openalex.org/keywords/expansive","display_name":"Expansive","score":0.3840999901294708},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.35269999504089355}],"concepts":[{"id":"https://openalex.org/C2780522230","wikidata":"https://www.wikidata.org/wiki/Q1140419","display_name":"Ambiguity","level":2,"score":0.8252000212669373},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.7020999789237976},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6978999972343445},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.6342999935150146},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6025999784469604},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5795000195503235},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.4496000111103058},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4032000005245209},{"id":"https://openalex.org/C2780502288","wikidata":"https://www.wikidata.org/wiki/Q28838156","display_name":"Expansive","level":3,"score":0.3840999901294708},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3644999861717224},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.35269999504089355},{"id":"https://openalex.org/C194232998","wikidata":"https://www.wikidata.org/wiki/Q1606712","display_name":"Transition (genetics)","level":3,"score":0.3165999948978424},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.310699999332428},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.30550000071525574},{"id":"https://openalex.org/C39890363","wikidata":"https://www.wikidata.org/wiki/Q36108","display_name":"Generative grammar","level":2,"score":0.2831000089645386},{"id":"https://openalex.org/C41550386","wikidata":"https://www.wikidata.org/wiki/Q529909","display_name":"Multi-agent system","level":2,"score":0.267300009727478},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.2639000117778778},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2612999975681305},{"id":"https://openalex.org/C124681953","wikidata":"https://www.wikidata.org/wiki/Q339062","display_name":"Decomposition","level":2,"score":0.2606000006198883},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2558000087738037}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.17324","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17324","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.17324","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.17324","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7645437717437744,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Clarification-seeking":[0],"behavior":[1],"is":[2,86],"widely":[3],"regarded":[4],"as":[5,67],"a":[6,41,58,68,102,171,181],"desirable":[7],"property":[8],"of":[9,26,60,203],"LLM":[10],"agents,":[11,205],"enabling":[12],"them":[13],"to":[14,40,48,151,158,216],"resolve":[15],"ambiguity":[16],"before":[17,128],"acting":[18],"on":[19,101],"underspecified":[20],"tasks.":[21],"However,":[22],"the":[23,35,95,98,115,118,186,200],"security":[24,196],"implications":[25],"this":[27,75,167],"interaction":[28],"pattern":[29],"remain":[30],"unexplored.":[31],"We":[32,52,130],"investigate":[33],"whether":[34],"transition":[36,77],"from":[37,149,156,185],"standard":[38,194],"execution":[39,90,96],"clarification-seeking":[42,138],"state":[43,71,76],"increases":[44],"an":[45],"agent's":[46],"susceptibility":[47],"prompt":[49],"injection":[50],"attacks.":[51],"introduce":[53],"ASPI":[54],"(Ambiguous-State":[55],"Prompt":[56],"Injection),":[57],"benchmark":[59,84],"728":[61],"task-attack":[62],"scenarios":[63],"that":[64,137,166,193,207],"isolates":[65],"clarification":[66,92,116,188],"distinct":[69],"agent":[70,99,119],"and":[72,91,106,123,135,140,155,180,206,224],"measures":[73],"how":[74,175],"affects":[78],"vulnerability":[79],"under":[80,88,209,218],"controlled":[81],"conditions.":[82],"Each":[83],"instance":[85],"evaluated":[87],"matched":[89],"settings:":[93],"in":[94,114,174],"setting,":[97,117],"acts":[100],"fully":[103,210],"specified":[104,211],"instruction":[105],"encounters":[107],"adversarial":[108],"content":[109,179],"only":[110],"through":[111],"tool-returned":[112],"data;":[113],"must":[120],"first":[121],"request":[122],"incorporate":[124],"additional":[125],"user":[126],"input":[127],"acting.":[129],"evaluate":[131],"ten":[132],"frontier":[133],"LLMs":[134],"find":[136],"consistently":[139],"substantially":[141],"amplifies":[142],"vulnerability.":[143],"For":[144,220],"instance,":[145],"attack":[146,201],"success":[147],"rises":[148],"1.8%":[150],"34.0%":[152],"for":[153,160],"o3":[154],"2.2%":[157],"35.7%":[159],"Gemini-3-Flash.":[161],"A":[162],"decomposition":[163],"analysis":[164],"reveals":[165],"gap":[168],"reflects":[169],"both":[170],"state-dependent":[172],"shift":[173],"models":[176],"process":[177],"incoming":[178],"channel-specific":[182],"effect":[183],"arising":[184],"agent-solicited":[187],"interface.":[189],"These":[190],"findings":[191],"demonstrate":[192],"execution-time":[195],"evaluation":[197],"systematically":[198],"underestimates":[199],"surface":[202],"interactive":[204],"robustness":[208,217],"tasks":[212],"does":[213],"not":[214],"translate":[215],"ambiguity.":[219],"reproducibility,":[221],"our":[222],"data":[223],"source":[225],"code":[226],"are":[227],"available":[228],"at":[229],"https://github.com/scaleapi/aspi.":[230]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-20T00:00:00"}
