LoopTrap: Automated Termination Poisoning Attacks
- LoopTrap is an automated framework that targets LLM agents’ termination judgments, crafting attacks to artificially extend task execution.
- It quantifies attacks using step and token amplification factors (SAF and TAF), offering measurable insights into execution control degradation.
- The system leverages behavioral profiling, strategy selection, and reflective refinement to synthesize prompt injections, highlighting defense challenges in autonomous agents.
Searching arXiv for the specified papers and closely related monitoring work. I’m checking arXiv records for LoopTrap and related long-horizon agent monitoring papers. LoopTrap is an automated red-teaming framework for synthesizing termination poisoning attacks against autonomous LLM agents. In the formulation introduced by the paper, the central vulnerability is not primarily answer content, tool misuse, or secret extraction, but the agent’s termination judgment: the same model that reads untrusted retrieved context often also decides whether the task is complete. By injecting malicious content into that operational context, an adversary can corrupt the progress signals used for self-evaluation, causing the agent to continue reasoning, searching, verifying, and calling tools long after the original task has actually been solved. The paper formalizes this with the termination step under benign execution, , and under attack, , and defines success when , with practical evaluation using . The corresponding Step Amplification Factor is (Xu et al., 7 May 2026).
1. Threat model and problem formulation
LoopTrap is situated in the setting of modern LLM agents that operate in iterative execution loops: they perceive environment or tool outputs, reason over the current context, choose and execute an action, and then self-evaluate progress to determine whether execution should stop. The paper emphasizes that this stopping signal may arise either from explicit self-evaluation—such as “am I done?”—or from implicit completion detection in the model’s own behavior. In either case, the termination decision is derived from reasoning over a context that may contain webpages, documents, API outputs, plugin or tool descriptions, or other untrusted artifacts (Xu et al., 7 May 2026).
The paper defines Termination Poisoning as an attack in which an adversary injects malicious content into the agent’s operational context so as to corrupt the progress signals the agent uses to assess task completion, thereby preventing termination and inducing unbounded execution loops. Operationally, the paper does not require literal infinite looping in every experiment; instead, it measures substantial amplification of execution length, and also evaluates Token Amplification Factor (TAF) to capture billing and compute overhead. This reframes agent security as a control-flow integrity problem rather than only an output-integrity problem (Xu et al., 7 May 2026).
The adversary model is a constrained indirect prompt injection setting. The adversary cannot modify the system prompt, internal memory, model weights, code, tool definitions, or orchestration logic, and cannot adapt online based on the live trace. The adversary can, however, place malicious instructions into at least one external source the agent is likely to retrieve, such as a webpage, knowledge-base document, file, third-party API response, or a malicious shared skill, plugin, or tool description. The paper assumes knowledge of the task type, but not internal access. Under these assumptions, LoopTrap targets the stopping mechanism itself rather than the agent’s final answer or tool outputs (Xu et al., 7 May 2026).
A core distinction in the paper is that termination poisoning differs from both standard jailbreaks and brute-force denial-of-service. Standard prompt injection work mostly attacks content outcomes—for example, tool hijacking, hidden-data extraction, bypass of safety rules, or answer steering. Brute-force sponge-like attacks inflate cost by forcing pathological inputs or excessively long generations. Termination poisoning instead attempts to make the agent genuinely believe the task is not yet complete. Because the extra computation is justified by the agent’s own progress logic, the paper argues that it is harder to detect through simple output filtering or abnormal-input heuristics (Xu et al., 7 May 2026).
2. Attack taxonomy and behavioral signatures
The paper characterizes termination poisoning through 10 representative attack strategies organized into four manipulation surfaces. These are attacker-side mechanisms for poisoning self-evaluation:
- Progress Manipulation:
P1: Expanding Horizon gives the agent a moving completion target; P2: Incremental Milestone converts a simple task into an open-ended sequence of phases; P3: Diminishing Returns frames the agent as almost complete but not yet done.
- Cognitive Bias Exploitation:
P4: Authority Override fabricates an authoritative or system-level requirement; P5: Sunk Cost Trap argues that stopping would waste prior effort; P6: Social Proof invokes purported norms such as external standards for thoroughness.
- Task Structure Manipulation:
P7: Recursive Decomposition induces self-verification of verification; P8: Dependency Chain introduces circular prerequisites.
- Reward Shaping:
P9: Positive Reinforcement praises continuation; P10: Gamification Trap invents a score and frames the current state as substandard (Xu et al., 7 May 2026).
The paper’s empirical study argues that these strategies are mediated by stable agent-specific behavioral signatures rather than functioning as isolated prompt templates. It therefore introduces four vulnerability dimensions:
- Phase Compliance: , propensity to adopt externally suggested phased execution plans.
- Authority Compliance: , tendency to follow injected authoritative directives.
- Recursive Susceptibility: , tendency to enter recursive self-evaluation loops.
- Verification Tendency: , inclination toward exhaustive validation or refinement before terminating.
The resulting behavioral profile is represented as
In the empirical characterization, each dimension is derived by aggregating the proportion of associated strategies whose SAF exceeds 0. The reported profiles show differences across models: GPT-4o has high 1 but low 2; Kimi-K2-Thinking has very high 3; Claude Sonnet 4.5 has especially high 4; and Grok-4 has high 5 (Xu et al., 7 May 2026).
The static strategy study already shows that strategy-task fit matters. Across 8 agents and 60 GAIA tasks, even simple manual attack templates achieved an average 2.336 step amplification. The paper reports that P9 Positive Reinforcement averaged 2.717 and P4 Authority Override averaged 2.568 across agents. It also reports that GPT-4o-mini had the highest overall static vulnerability with average 3.509 SAF, Grok-4 ranked second at 3.360, and GLM-5 was the most resistant at 1.311 (Xu et al., 7 May 2026).
3. Framework architecture
LoopTrap itself is a three-stage system: Behavioral Vulnerability Fingerprinting, Profile-Guided Trap Synthesis, and Reflective Skill Evolution (Xu et al., 7 May 2026).
In Behavioral Vulnerability Fingerprinting, LoopTrap constructs a lightweight behavioral profile of the target agent using four diagnostic probes, one per vulnerability dimension. Each probe combines a trivial anchor task—such as “What is the capital of France?”—with a dimension-specific injection embedded in retrieved context. Because the anchor task is answerable in 1–2 steps, extra steps under injection are attributed to behavioral susceptibility rather than task complexity. For each dimension 2, the clean and injected step counts are 3 and 4, and the paper defines
5
with 6. The resulting profile is
7
The profiling stage requires only 8 executions total: 4 clean + 4 injected (Xu et al., 7 May 2026).
LoopTrap then maps this profile into a strategy prior. If strategy 8 exploits a set of dimensions 9, its prior is
0
This yields a first ranking over strategies before active attack attempts begin (Xu et al., 7 May 2026).
The second stage, Profile-Guided Trap Synthesis, is the active attack loop. Strategy selection combines profile alignment, historical performance, and exploration. If a matching skill already exists in the evolving skill library, it is used with probability 1; otherwise the system falls back to strategy-level selection. The paper sets 2. At the strategy level, the paper uses a UCB-style selection rule with historical mean amplification 3, total episode count 4, strategy count 5, and profile prior 6, with implementation constants 7 and 8. The paper notes that the printed equation appears slightly malformed, but states clearly that the intended mechanism balances exploitation, exploration, and profile match (Xu et al., 7 May 2026).
Candidate generation conditions on four inputs: the selected strategy and its mechanism, the natural-language summary of the target profile, the full task context, and a scratchpad of prior reflections from failures in the current episode. If a matching skill exists, its parameterized action template is also provided. Generated attacks must resemble content that could naturally appear in retrieved context, such as a webpage, file, or API response. A self-scoring step ranks candidates according to behavioral alignment, contextual plausibility, and trap potency. The paper describes this qualitatively rather than with an explicit formula (Xu et al., 7 May 2026).
If an injected candidate does not achieve the success threshold, LoopTrap performs within-episode reflective refinement. The reflection module consumes the failed prompt, the target agent’s execution trace, and the observed amplification, and returns a failure hypothesis, an agent behavior analysis, and a revision direction. These reflections are appended to the scratchpad and used in subsequent attempts. Each episode allows up to 9 attempts, with 0 candidate prompts generated per attempt (Xu et al., 7 May 2026).
The third stage, Reflective Skill Evolution, accumulates knowledge across episodes. Successful attacks are abstracted into a skill record with seven fields: source strategy, trigger condition, causal insight, action template, slot bindings, failure modes, and concrete examples. Similar skills are merged using Jaccard overlap on tool sets and task categories. For routing, each skill receives a score
1
with 2, 3, 4, and 5. Failed episodes also produce a trajectory-level reflection summarizing why the strategy failed on that kind of agent and task (Xu et al., 7 May 2026).
4. Evaluation protocol and empirical performance
The evaluation uses 8 target agents—Gemini-3-Pro, GPT-4o, GPT-4o-mini, DeepSeek-R1, Kimi-K2-Thinking, GLM-5, Grok-4, and Claude Sonnet 4.5—embedded in a unified ReAct-style agent framework with a consistent tool set. To reduce confounds, the study uses a simulated tool environment rather than live external APIs. The task set is a stratified sample of 60 GAIA tasks, preserving category distribution, and the appendix also reports experiments on LangChain and LangGraph to show that the phenomenon is not tied to a single scaffold (Xu et al., 7 May 2026).
For the main LoopTrap evaluation, every method receives a budget of 20 attack episodes per agent-task pair, with up to 6 refinement attempts and 7 candidates per attempt. Success is defined as 8. Each experiment is repeated over 10 independent runs. Baselines include Static-Best, Static-Random, Rotate-All, LLM-Direct, and NoProfile (Xu et al., 7 May 2026).
The main aggregate results are as follows:
| Method | ASR | SAF |
|---|---|---|
| LoopTrap | 86.3% | 3.579 |
| Static-Best | 71.7% | 2.610 |
LoopTrap therefore improves on the strongest static baseline by 14.6 percentage points in ASR and 0.961 in SAF. The paper also reports a peak amplification of 252 and an average TAF of 3.933, indicating that token inflation is even larger than step inflation (Xu et al., 7 May 2026).
Per-agent performance is broad but nonuniform. Reported SAFs are: Gemini-3-Pro 4.31, GPT-4o 3.73, GPT-4o-mini 3.87, DeepSeek-R1 4.22, Kimi-K2-Thinking 3.34, GLM-5 2.61, Grok-4 4.07, and Claude Sonnet 4.5 2.49. GPT-4o-mini reaches the highest ASR at 98.3%, GPT-4o reaches 96.7%, and GLM-5 is the hardest target with 71.8% ASR and 2.614 SAF. The corresponding TAF values are higher still, including Gemini-3-Pro at 4.74, DeepSeek-R1 4.64, Grok-4 4.48, GPT-4o-mini 4.26, GPT-4o 4.10, and average 3.93 (Xu et al., 7 May 2026).
The strategy-distribution analysis supports the behavioral-profiling hypothesis. Successful attacks on GPT-4o are disproportionately P1 Expanding Horizon and P2 Incremental Milestone, consistent with high phase susceptibility. Kimi-K2-Thinking is attacked mostly through P4 Authority Override and P6 Social Proof, fitting high authority compliance. Claude Sonnet 4.5 shows more use of P3 Diminishing Returns and P10 Gamification Trap. GPT-4o-mini shows high frequencies of P1 and P7, indicating that the adaptive policy does not simply collapse onto one strategy (Xu et al., 7 May 2026).
Efficiency under limited query budgets is also reported. In cumulative-ASR analysis, LoopTrap reaches 79% ASR within the first 5 episodes and its final 86.3% by episode 16. Static-Best plateaus immediately at 71.7%, and Rotate-All grows roughly linearly and ends substantially lower. The ablations attribute gains to several components: removing fingerprinting (NoProfile) lowers ASR from 86.3% to 81.8% and SAF from 3.57 to 2.95; removing within-episode reflection drops ASR by 6.2 percentage points; removing the skill library drops ASR by 7.9 points; and replacing exploration with pure greedy exploitation lowers ASR by 6.1 points (Xu et al., 7 May 2026).
5. Interpretation, limitations, and defensive implications
LoopTrap’s main conceptual contribution is to treat the LLM agent as a closed-loop control system whose stopping criterion can be adversarially steered. The paper argues that once agents become more autonomous, control-flow integrity matters as much as output integrity. In this sense, the novelty is both conceptual and technical: termination is framed as a first-class attack surface, and stable behavioral dimensions—authority, phased progression, verification, and recursion—are used to guide automated attack synthesis (Xu et al., 7 May 2026).
The paper also identifies several limitations. The four vulnerability dimensions are derived from 10 strategies and 8 models, so future architectures may exhibit additional susceptibilities. The evaluation uses a simulated tool environment, which improves experimental control but leaves open how the attacks interact with noisier real-world systems. The self-scoring mechanism is described conceptually but not with a formal equation. The paper also does not define expected utility or loop continuation probabilities, and does not present a formal unseen-agent or unseen-task split in the evaluation tables, even though transfer is argued through profiling and the reusable skill library (Xu et al., 7 May 2026).
The defense discussion is explicitly preliminary. The paper proposes robust termination mechanisms, especially progress signal verification, in which an independent, sandboxed verifier checks whether the task is objectively complete before more execution is allowed. It also proposes provenance-aware context processing, including strict separation between trusted instructions and untrusted retrieved content, and weighting progress signals differently by source. More broadly, the results imply the need for bounded execution and explicit step ceilings in production deployments. The paper also notes that practical mitigations would naturally include context sanitization of retrieved tool or web content, architectural separation between planner and stopper, and external verifiers for completion criteria (Xu et al., 7 May 2026).
A common misconception addressed by the paper is that excess agent cost is mainly a consequence of malformed inputs or excessively long generations. LoopTrap instead shows a semantically subtler mechanism: the agent can continue because it has been induced to believe, through its own internal progress logic, that the task is not finished. Another misconception is that prompt injection is only about answer hijacking. In the LoopTrap framing, retrieved content can manipulate when the agent stops, even if the final answer is not the primary target (Xu et al., 7 May 2026).
6. Related research and terminological distinctions
LoopTrap is directly about termination poisoning in long-horizon LLM agents, but it is also closely related to work on post hoc monitoring of long-horizon agent trajectories. TRACE—Trajectory Reasoning through Adaptive Cross-Step Evidence Aggregation—addresses the overlapping problem of detecting trajectory-level failure or sabotage when harmful behavior is only visible after linking multiple individually benign-looking steps over time. TRACE operates over a completed trajectory 5 and performs trajectory-level binary classification 6. Its TIJ (Triage-Inspect-Judge) loop, pattern windows over non-adjacent steps, and cross-window evidence propagation are not loop detectors in the narrow sense, but they are highly relevant to LoopTrap-style monitoring because repeated redundant actions, cyclic justifications, stalled progress, repeated biased choices, deferred exploitation, or stepwise concealment are the kinds of long-range patterns that one-shot or fixed-window monitors struggle to connect (Mittapalli et al., 5 Jun 2026).
The two papers address different sides of the same systems problem. LoopTrap characterizes and synthesizes attacks that distort the agent’s stopping logic; TRACE studies monitoring of full execution traces in which malicious patterns are temporally distributed. TRACE reports an aggregate F1 of 0.713 and recall of 0.844 on ten SHADE-Arena task domains, with the largest gains on tasks requiring long-range evidence linking. This suggests that adaptive cross-step evidence aggregation is a plausible monitoring complement for LoopTrap-style attack surfaces, although TRACE does not provide explicit formal models of state recurrence, progress monotonicity, redundancy, or cycle detection (Mittapalli et al., 5 Jun 2026).
The term “LoopTrap” should also be distinguished from other works with related names. TRAP—“TRAP: Hijacking VLA CoT-Reasoning via Adversarial Patches”—is a targeted adversarial patch framework for CoT-based Vision-Language-Action models. It attacks intermediate CoT reasoning, such as subtasks, bounding boxes, or visual traces, in order to hijack robot actions without modifying the user instruction. That work concerns reasoning-enabled robotic manipulation rather than LLM-agent termination poisoning (Huang et al., 24 Mar 2026). A much earlier and unrelated line of work studies feedback traps in experimental physics, where closed-loop control is used to manipulate Brownian particles and an extended recursive least-squares algorithm is embedded in the loop for real-time calibration over hours. That usage concerns electrokinetic feedback control, not adversarial prompt-based attack synthesis (Gavrilov et al., 2014).
Taken together, these distinctions matter because “trap” terminology spans multiple technical domains. In the specific sense established by the 2026 paper, LoopTrap denotes an automated red-teaming framework for crafting indirect prompt injections that manipulate an LLM agent’s termination judgment, producing measurable step amplification, token amplification, and systematic control-flow degradation under realistic black-box constraints (Xu et al., 7 May 2026).