Les Dissonances: Cross-Tool Harvesting and Polluting in Pool-of-Tools Empowered LLM Agents
Zichuan Li
Network and Distributed System Security (NDSS) Symposium 2026 · Day 1 · AI Security
This talk presents **Cross-Tool Harvesting and Polluting (XTHP)** attacks, a new class of supply chain threats targeting **LLM agent development frameworks** like **LangChain** and **LlamaIndex**. The research demonstrates that malicious tools can be crafted with benign-looking descriptions that exploit how LLMs select and sequence tool calls, enabling three attack capabilities: **control flow hijacking** (forcing the agent to invoke the malicious tool), **data harvesting** (extracting sensitive information from the agent context), and **information polluting** (replacing correct outputs with misleading data).
AI review
A highly practical attack class targeting the LLM agent tool ecosystem with real supply chain implications. The finding that 75% of LangChain and LlamaIndex tools are vulnerable to control flow hijacking, data harvesting, and information polluting is directly actionable. The attack vectors (semantic hooking, LLM preference hooking, dynamic descriptions) are novel, the automated scanner is released, and the defense bypass evaluation is thorough. The MCP vulnerability extension makes this immediately relevant to the emerging agent infrastructure.