[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-85935-en":3,"doc-seo-85935-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},85935,7971461740909,"Levi","https://ap-avatar.wpscdn.com/davatar_155a257f0dc6eb9ab79c44ca47cae57d",8,"Research & Report","NetInjectBench Benchmarking Indirect Prompt Injection in Tool-Using Large Language Model Agents for Network Operations","Tool-using large language model (LLM) agents support network operations, but operational artifacts such as tickets, alerts, logs, runbooks, and ChatOps messages can embed indirect prompt injections. NetInjectBench introduces a 130-scenario benchmark that separates untrusted artifact text, trusted policy metadata, and evaluation labels. Across 240 attack instances, naive execution yields an 82.50% unsafe tool-action rate, while prompt-only and LLM-judge defenses reduce it; static allowlisting blocks approved changes, causing overblocking. Under metadata integrity, a metadata-aware policy gate achieves 0/240 unsafe actions while preserving 99.17% attack usefulness and 100.00% approved-change usefulness.","arXiv :2607 . 10490v 1 [ cs .CR] 11 Jul 2026  \nNetInjectBench: Benchmarking Indirect Prompt Injection in Tool-Using Large Language Model Agents  \nfor Network Operations  \nRuksat Khan Shayonia,1 , Muhammad Faraz Shoaiba,1 , S M Asif Hossaina,,  \nM. F. Mridhab  \na School of Computing, Wichita State University, Kansas, USA b Department of Computer Science, American International  \nUniversity-Bangladesh, Dhaka, Bangladesh  \nAbstract  \nTool-using large language model (LLM) agents are attractive for network operations, but tickets, alerts, logs, runbooks, and ChatOps messages can carry indirect prompt injections. We present NetInjectBench, a 130-scenario benchmark that separates untrusted artifact text, trusted policy metadata, and evaluation labels for network-operation tool use. The sample contains 40 benign, 40 weak-attack, 40 strong-attack, and 10 approved high-impact change scenarios; each is evaluated with Qwen2.5-7B, Llama3.1-8B, and Mistral-7B. Across 240 attack instances, naive execution reached an 82 .50% unsafe tool-action rate. Prompt-only safety, Self-Reminder, Spotlighting, and a Two-Pass LLM Judge reduced this rate to 25.63%, 21.67%, 18.33%, and 10 .00%, respectively. Static allowlisting reached 5 .00% but blocked all approved changes, yielding 0.00% usefulness and 100.00% overblocking on approved cases. Under the stated metadata-integrity assumption, the metadata-aware policy gate produced 0/240 unsafe attack actions, with a 95% Wilson upper bound of 1.58%, while preserving 99.17% attack-scenario usefulness and 100 .00% approved-change usefulness. The findings show that network-operation agents need execution-time authorization boundaries alongside prompt-level instruction hygiene.  \nKeywords: Large language models, Prompt injection, Tool use, Network operations, Agent safety, Benchmarking, Policy enforcement  \n1. Introduction  \nLarge language models (LLMs) have shifted from passive text generators to agentic systems that read external context, reason about a task, and call tools. This shift builds on transformer-based language modeling, bidirectional pretraining, and large-scale few-shot learning (Vaswani et al., 2017; Devlin et al., 2019; Brown et al., 2020) . Foundation-model research also shows that broad pretraining creates useful general capabilities while introducing risks that can propagate into downstream systems (Bommasani et al. , 2021; Bender et al., 2021; Weidinger et al., 2021) . Tool-use methods then connect these models to external functions, application programming interfaces, and software environments (Yao et al., 2023; Karpas et al., 2022; Schick et al., 2023) . In this setting, the model output can become an executable operation rather than only a text response.  \nNetwork and communication operations are a high-value setting for toolusing LLM agents. Operators diagnose outages, routing instability, firewall issues, latency anomalies, access-control problems, and security alerts by reading many operational artifacts. These artifacts include incident tickets, monitoring alerts, syslog excerpts, runbook fragments, vendor notes, topology summaries, knowledge-base snippets, and ChatOps messages. They are essential for diagnosis, but they are not equally trustworthy. A ticket comment may come from an unverified user, a runbook excerpt may be stale, a chat message may contain an unsupported emergency claim, and a log line may be copied from a compromised host. The agent must use these artifacts as evidence while keeping operational authority separate from artifact text.  \nIndirect prompt injection attacks this boundary. Malicious instructions can be embedded inside external content that an LLM application reads during normal operation (Greshake et al., 2023; Liu et al., 2023; OWASP Generative AI Security Project, 2025) . Agent benchmarks have shown that tool-using LLMs can be manipulated through untrusted documents, emails, web pages, and other external content (Zhan et al., 2024; Debenedetti et al. , 20","cbCaiv6wiIq26vRP","https://ap.wps.com/l/cbCaiv6wiIq26vRP","pdf",1512175,1,39,"English","en",105,"# Abstract\n# Introduction\n## Motivation: Tool-using agents in network operations\n## Indirect prompt injection threat boundary\n## NetInjectBench: benchmark scope and objectives\n## Scenario design and evaluation focus","[{\"question\":\"What problem does NetInjectBench target in tool-using LLM agents?\",\"answer\":\"It targets indirect prompt injection risks in network and communication operations, where untrusted operational text can lead agents to select unsafe tools.\"},{\"question\":\"How is NetInjectBench structured in terms of scenarios and evaluation labels?\",\"answer\":\"It uses 130 scenarios covering benign, weak-attack, strong-attack, and approved high-impact change settings, with evaluation labels to test whether tool actions remain safe and useful.\"},{\"question\":\"Which defense approach performed best under the metadata-integrity assumption?\",\"answer\":\"A metadata-aware policy gate blocked unsafe attack actions with 0/240 unsafe tool actions, while preserving 99.17% attack-scenario usefulness and 100.00% approved-change usefulness.\"}]",1784207254,98,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"netinjectbench-benchmarking-indirect-prompt-injection-in-tool-using-large-language-model-agents-for-network-operations","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/netinjectbench-benchmarking-indirect-prompt-injection-in-tool-using-large-language-model-agents-for-network-operations/85935/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does NetInjectBench target in tool-using LLM agents?","Question",{"text":75,"@type":76},"It targets indirect prompt injection risks in network and communication operations, where untrusted operational text can lead agents to select unsafe tools.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How is NetInjectBench structured in terms of scenarios and evaluation labels?",{"text":80,"@type":76},"It uses 130 scenarios covering benign, weak-attack, strong-attack, and approved high-impact change settings, with evaluation labels to test whether tool actions remain safe and useful.",{"name":82,"@type":73,"acceptedAnswer":83},"Which defense approach performed best under the metadata-integrity assumption?",{"text":84,"@type":76},"A metadata-aware policy gate blocked unsafe attack actions with 0/240 unsafe tool actions, while preserving 99.17% attack-scenario usefulness and 100.00% approved-change usefulness.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]