From Prompt Injection to Persistent Control: Defending Agentic Harness Against Trojan Backdoors

ArXi:2605.31042v1 Announce Type: cross LLM agents are evolving from conversational chatbots to operational tools in real-world workspaces. In local agentic harnesses, an LLM can read and write files, call tools, and reuse workspace state across sessions. While such capabilities enhance utility, they also expose a new attack surface for attackers. Attackers can embed a prompt injection within a file or tool output. Agents may read this hidden instruction, it, and execute it later.