Papers
Topics
Authors
Recent
Search
2000 character limit reached

Termination Poisoning in LLM Agents

Updated 5 July 2026
  • Termination poisoning is a prompt-injection attack that manipulates an LLM agent's completion signals, leading to unbounded execution loops.
  • Researchers quantify its impact using metrics such as the Step Amplification Factor, revealing significant increases in execution steps across various agents.
  • Mitigation strategies include independent progress verification, robust termination safeguards, and provenance-aware context processing to decouple trusted from untrusted signals.

Termination poisoning denotes a class of attacks that corrupt the conditions under which a system decides that a process is complete. In the LLM-agent setting, it is defined as a prompt-injection threat in which “an adversary injects malicious content into the agent's operational context to corrupt the progress signals the agent uses to assess task completion, thereby preventing termination and inducing unbounded execution loops” (Xu et al., 7 May 2026). Closely related work shows that analogous logic appears outside agent loops: poisoning can make safety classifiers over-block benign behavior or fail to block harmful behavior (Huang et al., 15 Jun 2026), non-termination can be exposed by synthesizing malicious rule contexts for recursive programs (Fruehwirth, 2017), and the practical strength of some training-time poisons depends on whether they survive early stopping (Sandoval-Segura et al., 2022). This suggests that termination poisoning is best treated as a family of attacks on stopping criteria, completion judgments, or safety interlocks rather than as a single mechanism.

1. Definition and conceptual scope

In its most specific current usage, termination poisoning is an attack on control flow rather than on output content. The target is not primarily the model’s answer, but the internal or external signal that determines whether iterative execution should stop. In "LoopTrap: Termination Poisoning Attacks on LLM Agents" (Xu et al., 7 May 2026), the success condition is expressed as

T>αT,T' > \alpha \cdot T,

where TT is the benign termination step and TT' is the attacked step count. The principal metric is the Step Amplification Factor,

SAF=TT.\text{SAF} = \frac{T'}{T}.

This definition places termination poisoning alongside other semantic attacks on decision criteria. The distinguishing feature is that the attacker manipulates a system into believing the task remains incomplete, rather than merely slowing execution or flooding resources. The same paper explicitly distinguishes the threat from brute-force resource exhaustion and sponge-style attacks: the attack is semantically stealthy because the agent is induced to continue for reasons that appear task-relevant (Xu et al., 7 May 2026).

The broader literature does not use the term uniformly. "Rapid Poison" does not use the phrase “termination poisoning,” but it describes poisoning-induced failures of a safety interlock that can either terminate benign behavior incorrectly or fail to terminate harmful behavior when it should (Huang et al., 15 Jun 2026). "Poisons that are learned faster are more effective" studies poisoning under training termination, especially early stopping, rather than attacks on a deployed termination decision (Sandoval-Segura et al., 2022). "A Devil's Advocate against Termination of Direct Recursion" addresses program non-termination via synthesized malicious rules in CHR, not ML poisoning, but it is conceptually adjacent because termination itself is the manipulated property (Fruehwirth, 2017). The result is a terminological field with a precise core meaning in LLM-agent research and broader neighboring usages in security, learning dynamics, and formal methods.

A common misconception is to equate termination poisoning with any prompt injection that increases latency. The narrower definition requires interference with a completion judgment, a stopping rule, or an equivalent progress signal. Another misconception is to treat it as synonymous with backdoors or data poisoning in general. Related poisoning attacks may affect labels, representations, or safety decisions, but they become termination poisoning only when the poisoned mechanism controls whether computation halts, blocks, refuses, or continues.

2. Mechanism in iterative LLM agents

Modern LLM agents typically operate in an execution loop that repeatedly perceives environment or tool outputs, reasons over observations, acts via tools or APIs, and self-evaluates progress toward completion (Xu et al., 7 May 2026). Termination can be governed either by explicit self-evaluation or by implicit completion detection. In both cases, the stopping signal is derived from the same LLM reasoning engine that also processes retrieved or tool-supplied context. That architectural coupling is the core vulnerability.

The threat model in "LoopTrap" is an indirect prompt injection setting. The adversary can modify at least one external source the agent is likely to access, including web pages, documents in a knowledge base, API responses from third-party services, shared files, or malicious skills and shared tools. The adversary knows the task type, but cannot access the system prompt, internal memory, model weights, agent code, tool definitions, or orchestration logic, and cannot adapt mid-run after observing execution (Xu et al., 7 May 2026). The attack is therefore black-box, asynchronous, and context-mediated.

The causal chain is straightforward. The agent retrieves external content during normal execution; malicious instructions embedded in that content alter the progress signals or heuristics used for completion assessment; the agent concludes that more verification, sub-goals, refinement, or cross-checking is required; and the loop continues after the original task is already complete. The security consequence is amplified or effectively unbounded computation, with downstream risks that include denial-of-wallet, denial-of-compute, task disruption, service degradation, and alert fatigue (Xu et al., 7 May 2026).

The vulnerability is especially acute for open-ended tasks because completion criteria are often soft. Coverage, thoroughness, verification depth, confidence, and source diversity are all partially subjective. This makes it possible for malicious context to redefine what counts as “done,” fabricate new obligations, or create regressions in which each act of verification requires another act of verification. A plausible implication is that agent autonomy increases the attack surface precisely because it internalizes a stopping problem that older software often handled through explicit hard-coded criteria.

3. Attack taxonomy and behavioral signatures

The most detailed taxonomy currently available is the one introduced in "LoopTrap," which organizes ten representative attack strategies into four manipulation surfaces (Xu et al., 7 May 2026). Progress Manipulation includes P1 Expanding Horizon, P2 Incremental Milestone, and P3 Diminishing Returns. Cognitive Bias Exploitation includes P4 Authority Override, P5 Sunk Cost Trap, and P6 Social Proof. Task Structure Manipulation includes P7 Recursive Decomposition and P8 Dependency Chain. Reward Shaping includes P9 Positive Reinforcement and P10 Gamification Trap.

These strategies are not treated as interchangeable templates. The paper characterizes agents through four vulnerability dimensions:

d=(dphase,dauth,drecur,dverify).\mathbf{d} = (d_\text{phase}, d_\text{auth}, d_\text{recur}, d_\text{verify}).

Here, Phase Compliance captures susceptibility to phased workflows; Authority Compliance captures deference to injected directives framed as authoritative; Recursive Susceptibility captures tendency to enter recursive self-evaluation loops; and Verification Tendency captures inclination toward exhaustive validation or refinement before stopping (Xu et al., 7 May 2026).

LoopTrap operationalizes these dimensions through lightweight probing. For each dimension dd, it computes

amp(d)=Tinject(d)max(Tclean(d),  1),\text{amp}(d) = \frac{T_\text{inject}(d)}{\max(T_\text{clean}(d),\; 1)},

and then normalizes the result as

s(d)=min ⁣(amp(d)τ,  1.0),s(d) = \min\!\left(\frac{\text{amp}(d)}{\tau},\; 1.0\right),

with τ=5.0\tau = 5.0 in the experiments. The resulting profile is

p=(sphase,sauth,sverify,srecur).\mathbf{p} = (s_\text{phase}, s_\text{auth}, s_\text{verify}, s_\text{recur}).

This profile induces a prior over attack strategies:

TT0

LoopTrap then combines that prior with a UCB-style strategy-selection rule,

TT1

and a skill-routing score,

TT2

The technical significance of this formulation is that termination poisoning is not modeled as a single universal exploit. It is instead a structured interaction between attack mechanism, task context, and target-specific behavioral tendencies. The paper’s case studies reinforce this point: generic injections are often ignored as irrelevant, whereas task-grounded, profile-aligned prompts can induce long verification cycles (Xu et al., 7 May 2026).

4. Empirical evidence in LLM-agent systems

The main empirical study in "LoopTrap" spans 8 agents and 60 tasks from GAIA, using a unified ReAct-style framework and a simulated tool environment to control for external variability (Xu et al., 7 May 2026). The evaluated targets are Gemini-3-Pro, GPT-4o, GPT-4o-mini, DeepSeek-R1, Kimi-K2-Thinking, GLM-5, Grok-4, and Claude Sonnet 4.5. The metrics are Attack Success Rate (ASR), Step Amplification Factor (SAF), Token Amplification Factor (TAF), and Episodes to First Success (EFS).

With the ten static manually designed strategies alone, the paper reports an average SAF of TT3 across all agents. The strongest average individual strategies are P9 Positive Reinforcement at TT4, P4 Authority Override at TT5, P5 Sunk Cost Trap at TT6, and P1 Expanding Horizon at TT7 (Xu et al., 7 May 2026). These numbers show that termination poisoning is already broadly viable without target-specific synthesis.

LoopTrap strengthens these results through profiling, adaptive synthesis, reflection, and skill reuse. The reported averages are 86.3\% ASR, TT8 SAF, TT9 TAF, and a peak amplification of TT'0 (Xu et al., 7 May 2026). It also reaches 79\% cumulative ASR within 5 episodes and 86.3\% by episode 16. Against baselines, the average SAF values are 2.14 for Static-Random, 2.19 for Rotate-All, 2.55 for LLM-Direct, 2.61 for Static-Best, 2.95 for NoProfile, and 3.57 for LoopTrap. The paper states that LoopTrap exceeds the strongest static baseline by 0.96× SAF and 14.6 percentage points ASR.

The reported agent profiles are differentiated rather than uniform. GPT-4o is described as phase-compliant, Kimi-K2-Thinking as strongly authority-compliant, Claude Sonnet 4.5 as highly recursively susceptible, and Grok-4 as broadly vulnerable and especially verification-prone (Xu et al., 7 May 2026). This supports the claim that attack success is predicted by stable behavioral signatures rather than by random prompt sensitivity.

The case studies illustrate how task grounding matters. On an ASEAN-capitals task, a generic P1 injection produced only TT'1 amplification, whereas a task-structured P2 injection produced 24 steps from a baseline of 6, i.e. TT'2 amplification. On a sports-statistics task, generic P7 caused TT'3 amplification, while a task-specific P3 framing produced 10 steps from a baseline of 4, i.e. TT'4. On a multi-hop fact-verification task, generic P1 yielded TT'5, while a precision-oriented cross-source directive produced 10 steps, i.e. TT'6 (Xu et al., 7 May 2026). The pattern is consistent: semantically plausible, task-specific manipulations are more effective than domain-agnostic ones.

Termination poisoning has close analogues in adaptive safety pipelines. In "Rapid Poison," the target is a continuously retrained jailbreak detector in the Rapid Response framework. The paper does not use the term “termination poisoning,” but it explicitly motivates a related interpretation: poisoning can make the safety system terminate benign behavior incorrectly or fail to terminate harmful behavior when it should (Huang et al., 15 Jun 2026). The attacker modifies only jailbreak references, not benign data or labels, and uses prompt injection at the proliferation stage to turn a few references into many poisoned training samples. At only a 1\% poisoning rate, corresponding to 18 poisoned references, the attacks achieve up to 100\% false positive rates and up to 96\% false negative rates. The paper’s Omission Attack is especially notable because it exploits the phenomenon that “when training on concept-absent unsafe samples, the classifier misassociates that concept’s presence with the safe label” (Huang et al., 15 Jun 2026). In operational terms, this is a poisoning-induced failure of a safety stop condition.

A second neighboring literature concerns poisoning under training termination. "Poisons that are learned faster are more effective" studies availability poisoning on CIFAR-10 and argues that early stopping is a simple yet effective defense (Sandoval-Segura et al., 2022). The central empirical result is that poisons that reach low training loss faster have lower peak test accuracy over training, meaning they remain harmful even if the defender stops early. Conversely, some poisons look devastating only at the final checkpoint. The paper’s flagship example, P250, has final test accuracy TT'7 but peak test accuracy TT'8, and is reported to be 7 times less effective when training is stopped at epoch 8 (Sandoval-Segura et al., 2022). This is not termination poisoning in the LoopTrap sense, because the attacked object is not a deployed stopping rule. It is, however, directly about the relation between poisoning and termination behavior during optimization.

A third adjacent line comes from formal methods. "A Devil's Advocate against Termination of Direct Recursion" constructs devil’s rules for self-recursive CHR rules, yielding malicious fragments that can witness or force non-termination (Fruehwirth, 2017). The construction is syntax-directed and “involves no guessing.” The paper proves that all maximally vicious computations of a recursive rule and its devil’s rules are either non-terminating or end in a failed state, and that if the devil’s rules do not exhibit an infinite computation, the recursive rule is unconditionally terminating (Fruehwirth, 2017). This is not ML poisoning, but it is conceptually close: termination is turned into an adversarially manipulable property by adding hostile context.

Taken together, these literatures show that “termination poisoning” has both a narrow and a broad reading. Narrowly, it denotes prompt-injection attacks on the stopping judgment of iterative LLM agents. Broadly, it can describe poisoning or adversarial context that causes over-termination, under-termination, or non-termination in systems whose behavior depends on learned or symbolic completion criteria.

6. Mitigation, remediation, and open issues

Defensive work remains limited relative to the attack surface. "LoopTrap" suggests several mitigations but states explicitly that defenses are not comprehensively evaluated (Xu et al., 7 May 2026). The proposed directions include robust termination safeguards, progress signal verification via an independent sandboxed module, objective completion criteria where possible, provenance-aware context processing that separates trusted instructions from retrieved text, differential weighting of trusted versus untrusted signals, and practical step ceilings and rate limits. These suggestions follow directly from the threat model: if termination decisions are computed by the same model over the same untrusted context, then decoupling, verifying, or bounding that decision is the natural response.

"Rapid Poison" provides a more concrete but still incomplete defense picture. An input-side prompt-injection detector and sanitizer modeled after PromptArmor, using Gemini 2.5 Flash Lite, achieved 3.8\% FPR on clean references and 10.3\% aggregate FNR on poisoned references, with some attack templates substantially harder; sanitation was also lossy, with 35\% of true positives over-removed to empty strings and 56\% retaining structural artifacts (Huang et al., 15 Jun 2026). Replacing the proliferation model with Meta SecAlign 70B cut professional-law target-domain FPR from 98\% to 0\% in that setting. The same paper cautions, however, that these attacks are static handcrafted injections and likely a lower bound, and that prompt-injection hardening is necessary but not sufficient (Huang et al., 15 Jun 2026).

For persistent poisoning effects after deployment or after a poisoning incident, "Potion: Towards Poison Unlearning" studies post hoc mitigation when only a subset of poisoned samples is known (Schoepf et al., 2024). Its setting is BadNet-style trigger poisoning rather than termination poisoning per se, but the remediation problem is relevant whenever poisoned stopping behavior persists in a trained model or safety gate. The paper introduces XLF, an outlier-resistant SSD-based method, and PTN search, a hyperparameter search procedure exploiting the “unlearning versus model protection” trade-off. Across its benchmarks, XLF + PTN heals 93.72\% of poison compared to 83.41\% for SSD and 40.68\% for full retraining, while lowering average model accuracy drop from 5.68\% to 1.41\% (Schoepf et al., 2024). This suggests that when poisoning has already altered a termination-relevant classifier or backdoor-sensitive model, retraining on partially cleaned data may be insufficient; direct parameter editing can be more effective under partial discovery.

Several open problems remain. One is the design of robust external stopping criteria for open-ended tasks, where objective completion checks are difficult. Another is the extension from single-agent systems to multi-agent settings, where poisoned progress signals may propagate across agents (Xu et al., 7 May 2026). A third is provenance-aware orchestration that preserves the utility of retrieved context without letting it redefine stopping logic. A broader implication is that safety filters, autonomous agents, and continuously retrained defenses all become more fragile when they collapse execution, evaluation, and termination into a single learned reasoning channel.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Termination Poisoning.