Logic-Layer Prompt Control Injection (LPCI)
- LPCI is a security vulnerability where attackers embed multi-stage payloads into an agent's planning, memory, and tool-use policies.
- The approach uses encoded, delayed, and conditionally triggered injections that manipulate control-flow rather than surface text.
- Defensive strategies focus on provenance-aware controls, structural separation, and zero-trust enforcement to mitigate control deviations.
Logic-Layer Prompt Control Injection (LPCI) is a class of adversarial control attacks against agentic LLM systems in which attacker-controlled content targets the system’s logic layer rather than merely altering surface-level text generation. In the explicit LPCI formulation, encoded, delayed, and conditionally triggered payloads are embedded in memory, vector stores, or tool outputs, bypass conventional input filters, and can trigger unauthorised behaviour across sessions (Atta et al., 14 Jul 2025). Closely related work describes the same phenomenon as “persistent control content” and “multi-step trojan attacks” in local agentic harnesses (Tan et al., 29 May 2026), while email-agent and retrieval settings instantiate LPCI as indirect prompt injection that subverts planning, policy, and privileged tool-use decisions such as send_email (Cheng et al., 13 Mar 2026). Across these formulations, the unifying feature is control-flow deviation: untrusted content is elevated into future instructions, policies, or action targets.
1. Definition and conceptual boundaries
LPCI focuses on subverting the agent’s control logic: the planning steps, system or orchestrator prompts, memory rehydration rules, and tool-use policies that determine what the agent does. The attacker’s goal is to change “what the agent does,” such as sending an unauthorized email, exfiltrating a budget figure, invoking a remote script, or persisting a hidden rule for later execution, rather than only changing “what the agent says” (Cheng et al., 13 Mar 2026). This differentiates LPCI from content-layer manipulation, where the output text is corrupted without necessarily altering tool invocation, policy interpretation, or control-state transitions.
The logic layer is defined broadly across the literature. In one formulation it comprises the system-external architecture—persistent memory interfaces, RAG pipelines, external tool connectors, orchestration rules, and intermediate prompts that instruct how to apply standing instructions from memory, metadata, or tool schemas (Atta et al., 18 Mar 2026). In another, it is the controller over persistent memory and execution state, with a trigger function selecting when an injected payload is decoded and used (Atta et al., 14 Jul 2025). In multitool agents, the same layer appears as the combination of orchestration prompts and privileged tool-use directives that govern planning and whether or when to invoke tools such as send_email (Cheng et al., 13 Mar 2026).
Several papers study this threat without using the exact term LPCI. Formal prompt-injection work models attacker manipulation of the data prompt so that the backend LLM ignores or overrides the original instruction prompt and follows attacker-supplied instructions instead (Liu et al., 2023). Priority-aware gateway defenses likewise target lower-trust prompt segments that attempt to override or impersonate higher-authority instructions, even though they frame the problem as prompt control-flow integrity rather than LPCI (Alam et al., 19 Mar 2026). This suggests that LPCI is both a named vulnerability class and an organizing lens that subsumes several earlier control-hijacking formulations.
2. Threat model, attack surfaces, and lifecycle
The canonical LPCI threat model assumes an agentic runtime with writable memory, retrieval pipelines, and tool connectors. Attackers control untrusted content consumed by the harness—downloaded files, tool returns, emails, local workspace artifacts, or RAG documents—but do not control system prompts, model weights, or registered skills (Tan et al., 29 May 2026). In MCP-based development tools, the same threat appears through tool poisoning: malicious instructions embedded in tool descriptions, schemas, outputs, or chaining hints coerce the planner to alter tool selection, parameter construction, or execution order (Huang et al., 23 Mar 2026).
The attack surface spans persistent memory and execution infrastructure. One paper enumerates vector stores, retrieval caches, application databases, scratchpad or planner notes, audit or session logs, and external tool outputs as payload channels (Atta et al., 14 Jul 2025). Another identifies local files, memory caches, intermediate documents, and mocked tool returns as the locations where “persistent harness control content” is planted and later re-read as policy (Tan et al., 29 May 2026). In email-assistant settings, adversarial instructions embedded in untrusted email bodies target the system’s tool-use decisions and policy constraints, especially around unauthorized send_email calls and data exfiltration (Cheng et al., 13 Mar 2026).
The lifecycle is explicitly multi-stage. LAAF models six stages—S1 Reconnaissance, S2 Logic-Layer Injection, S3 Trigger Execution, S4 Persistence/Reuse, S5 Evasion/Obfuscation, and S6 Trace Tampering—while ClawTrojan presents a five-step paradigm of recon or priming, plant, persist, trigger, and execute (Atta et al., 18 Mar 2026). A zero-trust formulation decomposes success probability as
making explicit that effective defenses can intervene at multiple phases rather than only at initial prompt ingestion (Huang et al., 17 Aug 2025).
A distinguishing feature is temporal decoupling. Single-turn prompt injection contaminates the current context. LPCI spreads across steps and files, persists across sessions, and re-enters the agent’s context as trusted-looking local state (Tan et al., 29 May 2026). The “last intervention point” therefore becomes critical: a defense must block no later than the first step after which the attack can no longer be prevented, and must prevent unsafe state from being committed for reuse (Tan et al., 29 May 2026).
3. Empirical evidence across agentic settings
Empirical work consistently shows that LPCI remains practical even when models appear robust to single-turn prompt injection. In an OpenClaw email-agent study, 649 attacks that succeeded against a single-agent baseline were used as a normalized evaluation pool. The baseline achieved 100% ASR on that pool; JSON formatting alone reduced ASR to 14.18% (92/649); two-agent isolation alone reduced ASR to 0.31% (2/649); and the full pipeline of isolation, JSON, and validation achieved 0.0% ASR (0/649). Across the full 22,899 deduplicated payloads, the single-agent baseline ASR was 2.83% with gpt-5-mini (Cheng et al., 13 Mar 2026).
Persistent, multi-step harness attacks are substantially harder than ordinary single-turn injections. In ClawTrojan, an OpenClaw-style local workspace with sandboxed files, memory, skills, and mocked tool returns, GPT-5.4 without defense reached 95.5% ASR and 92.2% mean penetration. By contrast, AgentDojo and InjecAgent produced near-zero ASR on the same model in the paper’s “External No-Defense Checks,” showing that strong models can resist single-turn attacks yet fail under persistent workspace-state attacks (Tan et al., 29 May 2026). DASGuard reduced GPT-5.4 step ASR from 95.5% to 15.8%, full-chain ASR to 5.9%, and mean chain penetration to 10.1%, at an average latency cost of about 31.0 seconds per step (Tan et al., 29 May 2026).
Automated red-teaming studies reinforce the same conclusion at larger search scale. LAAF defines a 49-technique taxonomy across Encoding, Structural, Semantic, Layered, Trigger/Timing, and Exfiltration categories, combinable across 5 variants per technique and 6 lifecycle stages for a theoretical maximum of 2,822,400 unique payloads. Across three runs on five production endpoints, LAAF reports a mean aggregate breakthrough rate of 84% with range 83–86%; platform-level rates remained stable within 17 percentage points across runs. Layered combinations and semantic reframing were the highest-effectiveness technique categories, while exfiltration techniques achieved surprising single-attempt breakthroughs in some settings (Atta et al., 18 Mar 2026).
MCP clients expose the same logic-layer vulnerability through tool-poisoning vectors. Across seven real clients and four attacks, Cursor was Unsafe on all four attacks, yielding 100% LPCI success across attacks; Claude Desktop had 0 Unsafe outcomes with 3 Safe and 1 Partial; Cline had 1 Unsafe outcome; Langflow had 0 Unsafe but 3 Partial outcomes (Huang et al., 23 Mar 2026). The observed failure modes were hidden-parameter exfiltration, priority-based unauthorized invocation, phishing via output formatting, and remote script execution. The paper attributes these failures to blind trust in tool metadata, low parameter visibility, weak or absent static validation, and lack of deterministic client-side enforcement (Huang et al., 23 Mar 2026).
Open-source chat models also remain vulnerable to logic-layer control even in non-persistent settings. On five attack benchmarks and fourteen open-source LLMs, ignore-prefix attacks broke all 14 models and achieved over 60% ASP on SAP10, while the hypnotism attack caused aligned models including StableLM2, Mistral, OpenChat, and Vicuna to generate objectionable behaviors with around 90% ASP (Wang et al., 20 May 2025). This evidence is not specific to persistent state, but it shows that instruction supersession, role redefinition, and ritualized response control remain powerful logic-layer mechanisms.
4. Formal models and benchmark design
The formal literature models LPCI as control-hijacking in composed prompt or agent trajectories. A foundational prompt-injection formalism defines a compromised data prompt
where the attacker manipulates the target-task data so that the model follows the injected instruction instead of the original instruction (Liu et al., 2023). Although this framework abstracts away persistent memory and tool routing, it directly captures logic-layer override and provides metrics such as Attack Success Score and Matching Rate for benchmarked evaluation (Liu et al., 2023).
Stateful harness work extends the formalism from prompt composition to runtime provenance. In ClawTrojan, execution is a trajectory , with content-source labels separating Trusted, Clean, and Untrusted content, detector score , attribution score , and a runtime policy that chooses Block, Preserve, or Sanitize before commit (Tan et al., 29 May 2026). The key enforcement principle is that untrusted data may be used as data, but it must not become future instructions or high-risk action targets unless the user clearly allows it (Tan et al., 29 May 2026).
Priority-aware API defenses model the prompt itself as a structured composition of segments with provenance and precedence. PCFI represents a request as system, developer, user, and retrieved-document segments, ordered by a priority lattice in which system dominates developer, developer dominates user, and user dominates retrieved content. The runtime enforces the dominance constraint that lower-priority segments cannot negate, override, or reinterpret higher-priority instructions; outcomes are ALLOW, SANITIZE, or BLOCK (Alam et al., 19 Mar 2026). This is a direct formalization of logic-layer integrity at the prompt-assembly boundary.
At the architectural scale, LPCI has also been formalized as a tuple , where 0 is the payload injection, 1 the trigger predicate, 2 the stealth against detectors, and 3 the damage mapping (Huang et al., 17 Aug 2025). In that formulation, LPCI succeeds when the effective controller deviates from policy and induces an action that violates system invariants such as memory integrity, provenance soundness, or tool-authorization constraints (Huang et al., 17 Aug 2025).
Benchmark design has evolved accordingly. Open-Prompt-Injection supplies target-task versus injected-task metrics across ten models and seven tasks (Liu et al., 2023). ClawTrojan emphasizes multi-step chain completion, last-chance interventions, and persistence-aware step environments (Tan et al., 29 May 2026). LAAF evaluates stage breakthroughs across lifecycle stages rather than isolated turns (Atta et al., 18 Mar 2026). This progression reflects a shift from prompt-level override to workspace-level and orchestration-level control compromise.
5. Defensive architectures and mitigation strategies
The strongest empirical results come from structural defenses that eliminate the direct path from untrusted content to privileged execution. In the OpenClaw email assistant, the proposed defense is a privilege-separated two-agent pipeline: a Reader that can only store_summary, and an Actor that can call send_email, get_pending_summary, and store_result but never sees raw email text. JSON formatting strips persuasive framing, and a validator scans summaries for email literals, tool-call syntax fragments, and trigger phrases. The central invariant is structural: the action agent never receives raw injection content regardless of model behavior on any individual input (Cheng et al., 13 Mar 2026).
Provenance-aware dynamic defense is the central idea in DASGuard. It detects control-like spans, attributes them by source, destination, role, and authorization, computes risk, and enforces block, preserve, or sanitize before commit. It persists cross-step state so that later reads of overlapping spans are marked as compromised, and for file writes it commits a sanitized shadow copy rather than the original artifact (Tan et al., 29 May 2026). The paper’s ablation shows that removing source labels causes catastrophic degradation, making provenance attribution the dominant mechanism (Tan et al., 29 May 2026).
At the API boundary, PCFI shows that priority-aware prompt mediation can be extremely lightweight. Its three-stage FastAPI middleware applies lexical heuristics, role-switch detection, and hierarchical policy enforcement to structured prompt segments. On its benchmark of 50 benign and 100 attack-labeled requests, Full PCFI intercepted all attack-labeled requests, maintained 0% False Positive Rate, and added only 0.04 ms median overhead, with p95 and p99 latencies of 0.08 ms and 0.14 ms (Alam et al., 19 Mar 2026).
For first-line screening, Mirror argues that strict data geometry can matter more than model scale. Using 5,000 strictly curated open-source samples arranged into a 32-cell mirror topology, a sparse character n-gram linear SVM compiled into a static Rust artifact achieved 95.97% recall and 92.07% F1 on a 524-case holdout at sub-millisecond latency, materially outperforming a 22-million-parameter Prompt Guard 2 baseline on the same holdout (Corll, 12 Mar 2026). The detector is explicitly scoped to control-plane attack mechanics—instruction override, roleplay jailbreak, meta-probe, exfiltration, adversarial suffix, indirect injection, obfuscation, and constraint bypass—rather than general content safety (Corll, 12 Mar 2026).
Tool-mediated and domain-specific systems require additional capability scoping. The MCP study recommends strict allowlists, signed and versioned manifests, explicit typed parameter schemas, deterministic egress controls, complete parameter visibility, user approval for high-risk actions, and execution sandboxing (Huang et al., 23 Mar 2026). In LLM-to-SQL systems, a layered ISS → TD → QSC architecture combines lexical prefiltering, semantic threat detection, and signature-based SQL gating; the TD+QSC pairing achieved Recall 100% across SQLi, completion, ignore, and combination attack classes, with F1 values in the 92.88–99.01% range and FPR about 2.70% (Motlagh et al., 11 May 2026).
At broader system scope, zero-trust proposals root LPCI mitigation in identity and provenance. A unified architecture based on DIDs, VCs, ANS discovery, Trust-Adaptive Runtime Environments, Causal Chain Auditing, and Dynamic Identity with Behavioral Attestation gives a bound
4
with enforcement distributed across discovery, access control, runtime containment, trust evaluation, and feedback layers (Huang et al., 17 Aug 2025). This is a formal statement of the same design principle seen empirically elsewhere: privilege, provenance, and persistence controls must be enforced outside the model.
6. Limitations, misconceptions, and future directions
A recurrent misconception is that stronger alignment against single-turn prompt injection implies resilience to LPCI. The opposite pattern is repeatedly documented: modern models can show near-zero ASR on InjecAgent and AgentDojo yet still fail at 95.5% ASR under ClawTrojan’s persistent workspace-state attacks (Tan et al., 29 May 2026). Likewise, JSON formatting, prompt hardening, or model-internal refusal heuristics can reduce susceptibility inside a single agent, but they do not remove the direct logic-layer path from untrusted text to tool calls (Cheng et al., 13 Mar 2026).
Benchmark scope remains a major limitation. ClawTrojan is synthetic and sandbox-local, with only 23 clean or borderline samples and 92 clean steps for calibration (Tan et al., 29 May 2026). LAAF’s evaluations used direct chat-completion contexts simulating RAG and memory posture rather than end-to-end RAG or memory interfaces (Atta et al., 18 Mar 2026). PCFI’s benchmark is synthetic and semi-realistic, and its single-request focus does not model multi-turn memory or tool chains (Alam et al., 19 Mar 2026). The original LPCI paper notes that results are a snapshot and that enterprise systems may differ from the public platforms tested (Atta et al., 14 Jul 2025).
Adaptive attacks are also underexplored. DASGuard did not test adaptive attacks engineered to exploit structured fields or cross-agent handoffs (Tan et al., 29 May 2026). LAAF identifies future directions including end-to-end RAG or memory experiments on deployed frameworks, formal verification of logic-layer policies, transferability matrices across platforms, multimodal LPCI taxonomy, and tool schema poisoning expansion (Atta et al., 18 Mar 2026). Zero-trust work similarly identifies open problems in formal verification of logic execution paths, hardware-based enclaves for memory integrity, and multi-agent propagation (Atta et al., 14 Jul 2025).
Terminology is still stabilizing. Several papers study the phenomenon without adopting the name LPCI, while one paper explicitly reinterprets “LPCI” as prompt-specific activation control for factual question answering rather than as a security vulnerability class (Chang et al., 28 May 2025). This suggests that the acronym is not yet fully standardized across subfields, even though the security literature has already converged on a recognizable core: control-plane takeover through memory, retrieval, orchestration, and tools.
The direction of travel is nevertheless consistent. The literature moves from flat-string prompt filtering toward structural defenses, provenance-aware runtime policy, privilege separation, deterministic hot-path screening, and identity-rooted zero-trust enforcement. Across these approaches, the central security question is no longer only whether a prompt is malicious, but whether untrusted content can become future instruction. That question defines LPCI’s practical and theoretical significance in contemporary agentic systems (Tan et al., 29 May 2026).