Published · Preprint
Indirect Prompt Injection in LLM Agent Frameworks: A Comparative Study
A controlled empirical study across LangChain, MCP, and the Anthropic API. 3,274 trials measuring how injected instructions propagate through multi-step agent pipelines. Task framing, not framework architecture, drives vulnerability.
Key finding: Task framing drives vulnerability. The framework matters less than how tasks are structured.
Injection success correlates with instruction authority framing, not payload complexity.
Instruction-following tasks reached 91% injection success rates under adversarial framing.
Hardened system prompts achieved 100% IPI mitigation across all tested frameworks.
MCP adds no measurable attack surface versus raw API under equivalent task structures.
3,274 controlled trials across LangChain, MCP, Anthropic API. Dataset and framework open-sourced on GitHub and Zenodo.
Preprint submitted · arXiv link forthcoming
In Progress
Active
Turn depth and secure tool call degradation in agentic pipelines
Next
AI agent CVE landscape paper. Patterns, root causes, and disclosure timelines across the ecosystem.
Frameworks Studied
MCP (Model Context Protocol)