From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows

Mohamed Amine Ferrag; Norbert Tihanyi; Djallel Hamouda; Leandros Maglaras; Abderrahmane Lakas; Merouane Debbah

doi:10.1016/j.icte.2025.12.001

From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows

Mohamed Amine Ferrag
, Norbert Tihanyi
, Djallel Hamouda
, Leandros Maglaras
, Abderrahmane Lakas
, Merouane Debbah

Research output: Contribution to journal › Article › peer-review

4 Citations (Scopus)

Abstract

Autonomous AI agents powered by large language models (LLMs) with structured function-calling interfaces have greatly expanded capabilities for real-time data retrieval, computation, and multi-step orchestration. However, the rapid growth of plugins, connectors, and inter-agent protocols has outpaced security practices, leading to brittle integrations — plugin APIs and protocol adapters that rely on ad-hoc authentication, inconsistent schemas, and weak validation — making them vulnerable to failures and exploitation. This survey introduces a unified end-to-end threat model for LLM-agent ecosystems, spanning host-to-tool and agent-to-agent communications, and catalogs over thirty attack techniques across Input Manipulation, Model Compromise, System and Privacy Attacks, and Protocol Vulnerabilities. For each category, we provide a formal mathematical formulation of the underlying threat model, defining attacker capabilities, objectives, and affected layers to enable systematic analysis. Representative examples include Prompt-to-SQL (P2SQL) injections and the Toxic Agent Flow exploit in GitHub’s MCP server. For each category, we assess feasibility, review defenses, and outline mitigation strategies such as dynamic trust management, cryptographic provenance tracking, and sandboxed agentic interfaces. The framework was validated through expert review and cross-mapping with real-world incidents and public vulnerability repositories (e.g., CVE, NIST NVD) to ensure practical relevance. Compared to prior surveys, this work provides the first integrated taxonomy bridging input-level exploits and protocol-layer vulnerabilities in LLM-agent ecosystems while introducing formal system definitions for each threat class. Ultimately, it offers actionable insights for securing next-generation AI agents through layered defense and continuous verification. Our work provides a comprehensive reference to guide the design of secure and resilient LLM-agent workflows.

Original language	English
Journal	ICT Express
DOIs	https://doi.org/10.1016/j.icte.2025.12.001
Publication status	Accepted/In press - 2025

Keywords

Agentic AI
Autonomous AI agents
Large language models
Reasoning
Security

ASJC Scopus subject areas

Software
Information Systems
Hardware and Architecture
Computer Networks and Communications
Artificial Intelligence

Access to Document

10.1016/j.icte.2025.12.001

Cite this

@article{054e531bbbc34659ae081f860cfbb104,

title = "From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows",

abstract = "Autonomous AI agents powered by large language models (LLMs) with structured function-calling interfaces have greatly expanded capabilities for real-time data retrieval, computation, and multi-step orchestration. However, the rapid growth of plugins, connectors, and inter-agent protocols has outpaced security practices, leading to brittle integrations — plugin APIs and protocol adapters that rely on ad-hoc authentication, inconsistent schemas, and weak validation — making them vulnerable to failures and exploitation. This survey introduces a unified end-to-end threat model for LLM-agent ecosystems, spanning host-to-tool and agent-to-agent communications, and catalogs over thirty attack techniques across Input Manipulation, Model Compromise, System and Privacy Attacks, and Protocol Vulnerabilities. For each category, we provide a formal mathematical formulation of the underlying threat model, defining attacker capabilities, objectives, and affected layers to enable systematic analysis. Representative examples include Prompt-to-SQL (P2SQL) injections and the Toxic Agent Flow exploit in GitHub{\textquoteright}s MCP server. For each category, we assess feasibility, review defenses, and outline mitigation strategies such as dynamic trust management, cryptographic provenance tracking, and sandboxed agentic interfaces. The framework was validated through expert review and cross-mapping with real-world incidents and public vulnerability repositories (e.g., CVE, NIST NVD) to ensure practical relevance. Compared to prior surveys, this work provides the first integrated taxonomy bridging input-level exploits and protocol-layer vulnerabilities in LLM-agent ecosystems while introducing formal system definitions for each threat class. Ultimately, it offers actionable insights for securing next-generation AI agents through layered defense and continuous verification. Our work provides a comprehensive reference to guide the design of secure and resilient LLM-agent workflows.",

keywords = "Agentic AI, Autonomous AI agents, Large language models, Reasoning, Security",

author = "Ferrag, \{Mohamed Amine\} and Norbert Tihanyi and Djallel Hamouda and Leandros Maglaras and Abderrahmane Lakas and Merouane Debbah",

note = "Publisher Copyright: {\textcopyright} 2025 The Authors.",

year = "2025",

doi = "10.1016/j.icte.2025.12.001",

language = "English",

journal = "ICT Express",

issn = "2405-9595",

publisher = "Korean Institute of Communications and Information Sciences",

}

TY - JOUR

T1 - From prompt injections to protocol exploits

T2 - Threats in LLM-powered AI agents workflows

AU - Ferrag, Mohamed Amine

AU - Tihanyi, Norbert

AU - Hamouda, Djallel

AU - Maglaras, Leandros

AU - Lakas, Abderrahmane

AU - Debbah, Merouane

PY - 2025

Y1 - 2025

N2 - Autonomous AI agents powered by large language models (LLMs) with structured function-calling interfaces have greatly expanded capabilities for real-time data retrieval, computation, and multi-step orchestration. However, the rapid growth of plugins, connectors, and inter-agent protocols has outpaced security practices, leading to brittle integrations — plugin APIs and protocol adapters that rely on ad-hoc authentication, inconsistent schemas, and weak validation — making them vulnerable to failures and exploitation. This survey introduces a unified end-to-end threat model for LLM-agent ecosystems, spanning host-to-tool and agent-to-agent communications, and catalogs over thirty attack techniques across Input Manipulation, Model Compromise, System and Privacy Attacks, and Protocol Vulnerabilities. For each category, we provide a formal mathematical formulation of the underlying threat model, defining attacker capabilities, objectives, and affected layers to enable systematic analysis. Representative examples include Prompt-to-SQL (P2SQL) injections and the Toxic Agent Flow exploit in GitHub’s MCP server. For each category, we assess feasibility, review defenses, and outline mitigation strategies such as dynamic trust management, cryptographic provenance tracking, and sandboxed agentic interfaces. The framework was validated through expert review and cross-mapping with real-world incidents and public vulnerability repositories (e.g., CVE, NIST NVD) to ensure practical relevance. Compared to prior surveys, this work provides the first integrated taxonomy bridging input-level exploits and protocol-layer vulnerabilities in LLM-agent ecosystems while introducing formal system definitions for each threat class. Ultimately, it offers actionable insights for securing next-generation AI agents through layered defense and continuous verification. Our work provides a comprehensive reference to guide the design of secure and resilient LLM-agent workflows.

AB - Autonomous AI agents powered by large language models (LLMs) with structured function-calling interfaces have greatly expanded capabilities for real-time data retrieval, computation, and multi-step orchestration. However, the rapid growth of plugins, connectors, and inter-agent protocols has outpaced security practices, leading to brittle integrations — plugin APIs and protocol adapters that rely on ad-hoc authentication, inconsistent schemas, and weak validation — making them vulnerable to failures and exploitation. This survey introduces a unified end-to-end threat model for LLM-agent ecosystems, spanning host-to-tool and agent-to-agent communications, and catalogs over thirty attack techniques across Input Manipulation, Model Compromise, System and Privacy Attacks, and Protocol Vulnerabilities. For each category, we provide a formal mathematical formulation of the underlying threat model, defining attacker capabilities, objectives, and affected layers to enable systematic analysis. Representative examples include Prompt-to-SQL (P2SQL) injections and the Toxic Agent Flow exploit in GitHub’s MCP server. For each category, we assess feasibility, review defenses, and outline mitigation strategies such as dynamic trust management, cryptographic provenance tracking, and sandboxed agentic interfaces. The framework was validated through expert review and cross-mapping with real-world incidents and public vulnerability repositories (e.g., CVE, NIST NVD) to ensure practical relevance. Compared to prior surveys, this work provides the first integrated taxonomy bridging input-level exploits and protocol-layer vulnerabilities in LLM-agent ecosystems while introducing formal system definitions for each threat class. Ultimately, it offers actionable insights for securing next-generation AI agents through layered defense and continuous verification. Our work provides a comprehensive reference to guide the design of secure and resilient LLM-agent workflows.

KW - Agentic AI

KW - Autonomous AI agents

KW - Large language models

KW - Reasoning

KW - Security

UR - https://www.scopus.com/pages/publications/105025142858

UR - https://www.scopus.com/pages/publications/105025142858#tab=citedBy

U2 - 10.1016/j.icte.2025.12.001

DO - 10.1016/j.icte.2025.12.001

M3 - Article

AN - SCOPUS:105025142858

SN - 2405-9595

JO - ICT Express

JF - ICT Express

ER -

From prompt injections to protocol exploits: Threats in LLM-powered AI agents workflows

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this