Most defenses against indirect prompt injection (IPI) in tool-using LLM agents try to prevent attacks upfront, leaving no detection when attacks slip through, and have only been tested in English. AgentShield instead embeds deception-based traps—fake tools, fake credentials, and allowlisted parameters—into the agent's tool interface. When a compromised agent follows an attacker's hidden instruction, it almost always touches a trap, providing both a real-time compromise signal and zero-false-positive labels for training a self-supervised classifier. Across 176 cross-lingual attack prompts and four LLMs, AgentShield catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests, and survives adaptive attacks with zero evasion on commercial models.
Main takeaways:
- Existing IPI defenses only try to prevent attacks, not detect compromises that slip through, and haven't been tested in low-resource languages like Kurdish or Arabic.
- AgentShield places three layers of traps (fake tools, fake credentials, allowlisted parameters) in the agent's tool interface; a compromised agent following hidden instructions touches a trap.
- Trap triggers provide real-time detection and zero-false-positive labels for training a self-supervised classifier without manual annotation.
- Evaluated on 176 cross-lingual attacks and four LLMs: catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests.
- Survives systematic adaptive-attack evaluation with zero evasion on commercial models; the classifier transfers across models and languages without retraining.