The integration of Large Language Model (LLM)-based conversational agents into vehicles creates novel security challenges at the intersection of agentic AI, automotive safety, and inter-agent communication. As these intelligent assistants coordinate with external services via protocols such as Google's Agent-to-Agent (A2A), they establish attack surfaces where manipulations can propagate through natural language payloads, potentially causing severe consequences ranging from driver distraction to unauthorized vehicle control. Existing AI security frameworks, while foundational, lack the rigorous "separation of concerns" standard in safety-critical systems engineering by co-mingling the concepts of what is being protected (assets) with how it is attacked (attack paths). This paper addresses this methodological gap by proposing a threat modeling framework called AgentHeLLM (Agent Hazard Exploration for LLM Assistants) that formally separates asset identification from attack path analysis. We introduce a human-centric asset taxonomy derived from harm-oriented "victim modeling" and inspired by the Universal Declaration of Human Rights, and a formal graph-based model that distinguishes poison paths (malicious data propagation) from trigger paths (activation actions). We demonstrate the framework's practical applicability through an open-source attack path suggestion tool AgentHeLLM Attack Path Generator that automates multi-stage threat discovery using a bi-level search strategy.

翻译：将基于大语言模型（LLM）的对话智能体集成到车辆中，在智能体人工智能、汽车安全与智能体间通信的交叉领域引发了新的安全挑战。当这些智能助手通过诸如谷歌的Agent-to-Agent（A2A）等协议与外部服务协调时，它们建立了攻击面，其中操纵行为可通过自然语言载荷传播，可能导致从驾驶员分心到未经授权的车辆控制等一系列严重后果。现有的AI安全框架虽然具有基础性，但缺乏安全关键系统工程中严格的“关注点分离”标准，将保护对象（资产）与攻击方式（攻击路径）的概念混为一谈。本文通过提出一个名为AgentHeLLM（面向LLM助手的智能体危害探索）的威胁建模框架来解决这一方法论上的空白，该框架正式将资产识别与攻击路径分析分离开来。我们引入了一种以人为中心的资产分类法，该分类法源于以伤害为导向的“受害者建模”并受《世界人权宣言》启发；同时，我们提出了一个正式的基于图的模型，用以区分毒化路径（恶意数据传播）与触发路径（激活动作）。我们通过一个开源攻击路径建议工具——AgentHeLLM攻击路径生成器——展示了该框架的实际适用性，该工具采用双层搜索策略，实现了多阶段威胁发现的自动化。