from-assistant-double-agent

Installation
SKILL.md

This skill enables Claude to systematically evaluate and harden personalized LLM-based agents against the three critical attack surfaces identified in the PASB (Personalized Agent Security Bench) framework: user prompt processing, tool interaction, and memory retrieval. Drawing from the formal attack taxonomy in "From Assistant to Double Agent" (arXiv:2602.08412v2), it applies structured red-teaming and defense implementation across the full execution lifecycle of agents that handle personal data, call external tools, or maintain persistent memory.

When to Use

  • When the user asks to audit a personalized AI agent (like OpenClaw, LangChain agents, or custom tool-calling agents) for security vulnerabilities
  • When building an agent that calls external tools and you need to validate that tool responses cannot hijack the agent's behavior
  • When implementing memory or RAG in an agent and you need to defend against memory poisoning or extraction attacks
  • When the user wants to red-team an agent pipeline that processes untrusted external content (web pages, emails, API responses)
  • When adding input validation or sandboxing to an agent's tool execution layer
  • When evaluating whether defenses like delimiter wrapping or sandwich prompting are sufficient for a deployed agent

Key Technique

PASB formalizes the attack surface of personalized agents into three execution stages, each with distinct vulnerabilities. At the prompt processing stage, direct prompt injection (DPI) appends adversarial instructions to user input, while indirect prompt injection (IPI) embeds payloads in external content the agent fetches -- web pages, tool returns, or retrieved documents. IPI is the more dangerous vector because the user prompt remains benign; the attack enters through the observation channel, making it harder to detect. The framework models this as x't = xt + delta_pr for direct injection and y't = yt + delta_tool for tool-return deception.

At the tool interaction stage, the framework catalogs 131 threatening tool capabilities across categories: communication (email/messaging, 16.8%), financial operations (13.7%), data exfiltration (15.3%), and file/system access (12.2%). The key finding is that attacks primarily affect which tool is triggered rather than whether the agent calls tools at all -- response rates stay at 93-99% while attack success varies from 10-67%. This means naive "did the agent refuse?" checks are insufficient; you must verify the agent called the correct tool with the correct parameters.

At the memory retrieval stage, attackers poison long-term or short-term memory stores: D' = D union {(k_adv, v_adv)}. When later queries trigger retrieval of poisoned entries, the agent acts on attacker-controlled context. PASB found 54-63% extraction success and 60-72% modification success against long-term memory without defenses. Even with the best evaluated defense (sandwich prompting), residual attack success rates of 10-22% persisted, demonstrating that no single defense layer is sufficient.

Installs
2
GitHub Stars
6
First Seen
Jun 20, 2026
from-assistant-double-agent — ndpvt-web/arxiv-claude-skills