Introduction
LLM-based agentic systems leverage large language models to execute external tools for complex, multi-step tasks. These systems are widely used in domains such as chatbots, customer service, and software engineering. A key component of these systems is the Tool Invocation Prompt (TIP), which defines tool-interaction protocols and security behaviors.
Despite its importance, the security of TIPs has been overlooked. This paper investigates the vulnerabilities of TIPs, revealing critical risks such as Remote Code Execution (RCE) and Denial of Service (DoS).
Methods
We propose a systematic TIP Exploitation Workflow (TEW) consisting of:
Step 1: Prompt Stealing
Extract system prompts using adversarial instructions embedded in tool descriptions.
Step 2: TIP Vulnerability Analysis
Identify vulnerabilities in tool descriptions, formats, and execution pathways.
Step 3: TIP Hijacking
Exploit vulnerabilities to manipulate tool invocation protocols and achieve RCE or DoS.
Figure 1: Methods Overview
Results
Our empirical evaluation across multiple LLM-based systems demonstrates:
- DoS: Broadly observable across all agentic systems tested.
- RCE-1: Affects IDE-based systems due to deep tool integration.
- RCE-2: Expands attack surface by exploiting tool return pathways.
Vulnerable systems include Cursor, Claude Code, and other IDE and CLI agents.
Figure 2: Case Study 1 - RCE on Cursor
Figure 3: Case Study 2 - RCE on Claude Code
Figure 4: Case Study 3 - DoS on Cline
Conclusion
TIPs are critical yet vulnerable components of LLM-based agentic systems. Our findings highlight the need for robust security measures, such as layered defenses and adaptive filtering, to mitigate risks of RCE and DoS.