菜单

关于 🐙 GitHub
arXiv 提交日期: 2026-07-04
📄 Abstract - DualView: Preventing Indirect Prompt Injection in Personal AI Agents

Personal AI agents that run on the user's local machine, such as OpenClaw, automate daily tasks including web search, email, and file management. Their access to computer resources, including the network, file system, and shell, exposes them to indirect prompt injection (IPI) attacks. Prior Dual LLM defenses block IPI by replacing untrusted data with symbols that the agent can reference but not read. However, they track untrusted data only inside the agent's context, so when the agent saves and later rereads untrusted data, that data, possibly an attacker's prompt, can return as trusted data rather than as a symbol, which we call stored IPI. Operating on the user's real environment, which humans and programs share, is what makes agents like OpenClaw practical, and is exactly why a defense that ignores it is incomplete. Preserving symbols in such an environment is hard, because humans and programs need original data. We present DualView, which extends untrusted data tracking from the agent's context to the user's environment, including the file system, shell, network, and other agents, by giving each channel two views. In AgentView, the agent sees untrusted data as symbols even after writing it out and reading it back, blocking stored IPI, while HumanView preserves original data for humans and tools. DualView routes each tool call to the right view and synchronizes data across the two views. DualView deploys as an OpenClaw plugin using only tool hooks, without changing the agent's tool-call logic or tool implementations. Since DualView isolates untrusted data by design, its protection is not limited to known attack templates. In our evaluation on an IPI benchmark and PinchBench, DualView blocked every IPI attack, including stored IPI, while keeping utility close to the unprotected baseline.

顶级标签: agents llm
详细标签: security indirect prompt injection defense personal ai agents 或 搜索:

DualView:防止个人AI代理中的间接提示注入攻击 / DualView: Preventing Indirect Prompt Injection in Personal AI Agents


1️⃣ 一句话总结

本文提出了一种名为DualView的防御方法,通过在用户本地环境中为每个数据通道创建“代理视图”和“人类视图”,来防止个人AI代理(如OpenClaw)在执行任务时因读写攻击者恶意数据而遭受间接提示注入攻击,从而在不影响正常功能的前提下彻底阻断此类安全威胁。

源自 arXiv: 2607.03821