As LLM agents transition from digital assistants to physical controllers in autonomous systems and robotics, they face an escalating threat from indirect prompt injection. By embedding adversarial instructions into the results of tool calls, attackers can hijack the agent's decision-making process to execute unauthorized actions. This vulnerability poses a significant risk as agents gain more direct control over physical environments. Existing defense mechanisms against Indirect Prompt Injection (IPI) generally fall into two categories. The first involves training dedicated detection models; however, this approach entails high computational overhead for both training and inference, and requires frequent updates to keep pace with evolving attack vectors. Alternatively, prompt-based methods leverage the inherent capabilities of LLMs to detect or ignore malicious instructions via prompt engineering. Despite their flexibility, most current prompt-based defenses suffer from high Attack Success Rates (ASR), demonstrating limited robustness against sophisticated injection attacks. In this paper, we propose a novel method that provides LLMs with precise data via tool result parsing while effectively filtering out injected malicious code. Our approach achieves competitive Utility under Attack (UA) while maintaining the lowest Attack Success Rate (ASR) to date, significantly outperforming existing methods. Code is available at GitHub.

翻译：随着LLM智能体从数字助手转变为自主系统与机器人中的物理控制器，它们面临着日益严重的间接提示注入威胁。攻击者通过将对抗性指令嵌入工具调用结果，能够劫持智能体的决策过程以执行未授权操作。当智能体获得对物理环境的更直接控制时，此漏洞构成了重大风险。现有针对间接提示注入（IPI）的防御机制主要分为两类：第一类涉及训练专用检测模型，但该方法在训练和推理阶段均产生较高计算开销，且需要频繁更新以跟上不断演变的攻击向量；第二类基于提示的方法则利用LLM的固有能力，通过提示工程检测或忽略恶意指令。尽管具有灵活性，当前大多数基于提示的防御方案仍存在较高的攻击成功率（ASR），在面对复杂注入攻击时表现出有限的鲁棒性。本文提出一种创新方法，通过工具结果解析为LLM提供精确数据，同时有效过滤注入的恶意代码。该方法在保持当前最低攻击成功率（ASR）的同时，实现了具有竞争力的受攻击下效用（UA），显著优于现有方法。相关代码已在GitHub开源。