Papers
Topics
Authors
Recent
Search
2000 character limit reached

Vulnerable Agent Identification (VAI)

Updated 12 July 2026
  • VAI is a family of identification problems that targets entities whose vulnerabilities can critically affect technical, security, and ethical outcomes in systems ranging from machine learning to large-scale infrastructure.
  • It employs multi-stage, context-aware methodologies integrating candidate representations, evidence-based analysis, and ranking criteria to pinpoint vulnerabilities across disparate domains.
  • Practical applications include fairness analysis in AI, detection of vulnerable commits in software repositories, and risk prioritization in multi-agent and IoT systems.

Vulnerable Agent Identification (VAI) is used in the literature to denote the identification of entities whose vulnerability, compromise, or context-sensitive status has decisive technical, security, or ethical consequences. In the materials surveyed here, the phrase is applied to several non-identical problem settings: identifying vulnerable individuals or groups in machine learning decision systems, identifying vulnerable devices and infrastructure entities, identifying vulnerable commits, fixes, and code weaknesses in software repositories, and identifying the subset of agents whose compromise would most severely degrade a multi-agent system (Strümke et al., 2022, Greis et al., 2021, Chen et al., 7 Jul 2026, Li et al., 18 Sep 2025). This suggests that VAI is best understood as a family of identification problems rather than a single standardized task.

1. Terminological scope and recurrent problem formulations

A common misconception is that VAI refers only to LLM agent applications. The surveyed literature is broader. It includes fairness-oriented analysis of prediction models, software vulnerability analysis, identity and delegation protocols for agent ecosystems, cyber-defense mechanisms for offensive agents, and combinatorial identification problems in large-scale control and infrastructure systems. This suggests that the shared core is not the type of entity being analyzed, but the need to determine which entities are vulnerable, vulnerability-inducing, or disproportionately consequential under failure or compromise (Strümke et al., 2022, Mittelsteadt et al., 21 May 2026).

Domain Identified object Representative framing
Machine learning fairness and XAI vulnerable individuals or groups “a vulnerable group may be vulnerable in one context but not in another” (Strümke et al., 2022)
Software security vulnerability-inducing commits, vulnerability-fixing commits, CWEs “multi-stage reasoning”, “hypothesis validation”, and an “evidence-driven auditing process” (Chen et al., 7 Jul 2026, Wang et al., 15 Sep 2025, Meng et al., 11 Mar 2026)
Agent ecosystem security agent applications, skills, mobile agents, data agents “security analysis system for LLM agent applications”, “26.1% of skills contain at least one vulnerability”, “two unique attack surfaces”, and “eight data agent-specific risks” (Zhang et al., 24 Mar 2026, Liu et al., 15 Jan 2026, Zhang et al., 1 Jul 2026, Wang et al., 7 Jun 2026)
Large-scale systems subset of agents or entities whose failure maximizes damage “identify the subset of agents whose compromise would most severely degrade overall performance” and “K-most vulnerable entities” (Li et al., 18 Sep 2025, Roy et al., 2020)

Across these settings, the problem often has three elements: a representation of candidate entities, an analysis mechanism that integrates context rather than relying on one-shot inspection, and a decision rule or ranking criterion that exposes the most consequential vulnerabilities. That pattern appears in fairness analysis, repository-level auditing, attack-graph generation, and mean-field control formulations (Strümke et al., 2022, Gandhi et al., 3 Jun 2025, Li et al., 18 Sep 2025).

2. Context-sensitive vulnerability in machine learning decision systems

In machine learning fairness, vulnerability is not treated as identical to protected status. “Unlike protected groups, which can be regarded as always vulnerable, a vulnerable group may be vulnerable in one context but not in another” (Strümke et al., 2022). That distinction is central because it makes vulnerability context-dependent rather than fixed by category membership alone.

The same work places VAI-like analysis at the intersection of fairness and explainable artificial intelligence. Machine learning fairness is described as focusing on “the just treatment of individuals and groups under information processing with machine learning methods,” while XAI is concerned with answering the question “why was this decision made?” (Strümke et al., 2022). The paper argues that “neither existing fairness nor existing explainability methods allow us to ascertain if a prediction model identifies vulnerability,” even though identifying vulnerable individuals or groups may itself become “an ethical issue” (Strümke et al., 2022).

This framing matters because it shifts the target of analysis from discrimination alone to contextual exposure. A plausible implication is that VAI in this setting is not merely a post hoc explanation problem and not merely a protected-group fairness problem; it is a question of whether the model operationalizes vulnerability itself. The source discusses this as a distinct analytical gap rather than as a solved extension of fairness or XAI (Strümke et al., 2022).

3. Repository-, commit-, and CWE-level identification workflows

In software security, VAI is closely associated with staged, agentic, and context-sensitive workflows for detecting vulnerable code, vulnerability-inducing commits, vulnerability-fixing commits, and CWEs. These systems are explicitly designed to avoid the failure modes of one-shot prediction and shallow similarity scoring.

For vulnerability-inducing commit detection, VIC-RAGENT defines a four-stage pipeline: “Stage 0: Preparation (Representation Construction),” “Stage 1: Preliminary Inspection (High Recall Candidate Generation),” “Stage 2: Reanalysis (Refinement & Knowledge Augmentation),” and “Stage 3: Final Decision (Aggregation & Conservative Verification)” (Chen et al., 7 Jul 2026). Its specialized roles include Code Analyst (CA), Target Analyst (TA), Vulnerability Inspector (VI), Document Specialist (DS), and Audit Supervisor (AS). Stage 2 incorporates “a vector-based vulnerability knowledge base” using “CodeBERT embeddings” with retrieval “if cosine similarity > 0.85,” and Stage 3 classifies a commit as VIC “if ≥1 fragment is confirmed vulnerable” (Chen et al., 7 Jul 2026). On a real-world dataset across multiple LLMs, VIC-RAGENT “achieves 1.2-1.7x higher F1-scores across different models” than the strongest baseline (Chen et al., 7 Jul 2026).

VulAgent organizes repository-level detection as “Multi-view Vulnerability Detection and Integration,” “Vulnerability Hypothesis Construction,” “Hypothesis-Condition Validation,” and “Hypothesis-Path Verification (Protection Checking)” (Wang et al., 15 Sep 2025). Its agents include StaticAnalyzerAgent, BehaviorAnalyzerAgent, MemoryLayoutAgent, AuthFlowAgent, CodeInjectionAgent, AggregatorAgent, TriggerPlannerAgent, AssumptionPrunerAgent, and FinalValidatorAgent. The reported gains are an “Avg. accuracy improvement: +6.6%,” a correct identification rate for vulnerable/fixed pairs “up to +450%,” and “FPR reduction: ~36%” (Wang et al., 15 Sep 2025). The emphasis is not only on detection, but on verification of exploit preconditions and source-to-sink trigger paths.

Favia addresses vulnerability-fixing commit identification with a “two-stage process”: “Stage 1: Candidate Ranking” followed by “Stage 2: ReAct-Based LLM Agent Classification” (Storhaug et al., 13 Feb 2026). The agent is given “a pre-commit repository as environment” and tools such as cve_report, cwe_report, file_search, code_search, open_file, scroll_file, and final_answer (Storhaug et al., 13 Feb 2026). The paper reports that Favia “consistently outperforms state-of-the-art traditional and LLM-based baselines under realistic candidate selection, achieving the strongest precision-recall trade-offs and highest F1-scores” on CVEVC, which comprises “over 8 million commits from 3,708 real-world repositories” (Storhaug et al., 13 Feb 2026).

VulnAgent-X similarly reframes vulnerability detection as a “staged, evidence-driven auditing process” with “Fast Risk Screening,” “Bounded Context Expansion,” “Multi-Agent Specialised Analysis,” “Selective Dynamic Verification,” and “Evidence Fusion” (Meng et al., 11 Mar 2026). Its initial risk score is written as

Risk0(ri)=αSistat+βSimeta+γSilm,\operatorname{Risk}_0(r_i) = \alpha S_i^{\text{stat}} + \beta S_i^{\text{meta}} + \gamma S_i^{\text{lm}},

and its final score as

Score(fi)=w1Risk0+w2Eistat+w3Eictx+w4Eiagt+w5Eidynw6Eictr.\operatorname{Score}(f_i) = w_1 \operatorname{Risk}_0 + w_2 E_i^{\text{stat}} + w_3 E_i^{\text{ctx}} + w_4 E_i^{\text{agt}} + w_5 E_i^{\text{dyn}} - w_6 E_i^{\text{ctr}}.

The paper reports PrimeVul F1 = 0.316, PrimeVul AUROC = 0.741, commit-level F1 = 0.741, and that the system resolves “~62% of cases early,” with dynamic verification invoked on “~18% of challenging cases” (Meng et al., 11 Mar 2026).

A related line of work targets CWE identification directly. “Think Broad, Act Narrow” uses three steps: an exhaustive search for candidate CWEs, context identification and gathering, and a final confirmation agent (Sayagh et al., 2 Aug 2025). In PrimeVul, Step 1 identifies “the appropriate CWE in 40.9% of the studied vulnerable functions,” and in ten synthetic programs the full pipeline reduced false positives “from 6 to 9 CWEs to just 1 to 2,” while “still correctly identifying the true CWE in 9 out of 10 cases” (Sayagh et al., 2 Aug 2025). This supports the broader software-security pattern that VAI accuracy improves when the system first over-generates vulnerability hypotheses and then validates them against repository context.

4. Agent application, skill, mobile, and data-agent attack surfaces

In LLM agent applications, VAI often means security auditing of the surrounding software stack rather than model-only inspection. Agent Audit analyzes “Python agent code and deployment artifacts through an agent-aware pipeline that combines dataflow analysis, credential detection, structured configuration parsing, and privilege-risk checks” (Zhang et al., 24 Mar 2026). Its four specialized scanners are PythonScanner, SecretScanner, MCPConfigScanner, and PrivilegeScanner, which feed a unified RuleEngine (Zhang et al., 24 Mar 2026). On “22 samples with 42 annotated vulnerabilities,” Agent Audit detects “40 vulnerabilities with 6 false positives,” corresponding in the detailed summary to “95.24% recall,” “86.96% precision,” and “F1=0.909,” while maintaining “sub-second scan times” and “~0.87s for 22,000+ LOC” (Zhang et al., 24 Mar 2026).

The skill ecosystem introduces a further layer of modular risk. “Agent Skills in the Wild” collected “42,447 skills” and analyzed “31,132” of them using SkillScan, “a multi-stage detection framework integrating static analysis with LLM-based semantic classification” (Liu et al., 15 Jan 2026). The paper reports that “26.1% of skills contain at least one vulnerability,” spanning “14 distinct patterns across four categories: prompt injection, data exfiltration, privilege escalation, and supply chain risks,” with “5.2%” showing “high-severity patterns strongly suggesting malicious intent” (Liu et al., 15 Jan 2026). The validated methodology reaches “86.7% precision and 82.5% recall,” and “skills bundling executable scripts are 2.12x more likely to contain vulnerabilities than instruction-only skills (OR=2.12, p<0.001)” (Liu et al., 15 Jan 2026).

For third-party mobile agents powered by VLMs, the literature identifies two attack surfaces that are “unique” relative to general mobile apps: the Screen Perception Attack Surface and the Misused Channel Attack Surface (Zhang et al., 1 Jul 2026). The work implements “seven concrete attacks,” including “subliminal text injection,” “invisible pixel zone exploitation,” “screenshot tampering,” and “host PC command injection” (Zhang et al., 1 Jul 2026). “All tested frameworks were vulnerable to at least six out of seven attacks,” and “subliminal text extraction via VLMs was effective at opacity levels as low as 2%” (Zhang et al., 1 Jul 2026). The invisible-zone width is formalized as

w=RR2(Ry)2,w = R - \sqrt{R^2 - (R-y)^2},

while the screenshot tampering window is expressed as

Δ=tpull_starttscreencap_return50-500ms.\Delta = t_{\mathrm{pull\_start}} - t_{\mathrm{screencap\_return}} \approx 50\text{-}500\,\mathrm{ms}.

These formulas make the attack surface explicitly geometric and temporal rather than purely semantic (Zhang et al., 1 Jul 2026).

Data agents combine LLM reasoning with relational access and executable tools, producing a different vulnerability profile. The corresponding study defines a layered vulnerability framework with “eight data agent-specific risks across interpretation, execution, and policy layers,” labeled V1–V8, and an attack taxonomy with “three goals, seven tactics, and fourteen techniques” (Wang et al., 7 Jun 2026). The empirical study deploys “350 payloads across 14 attack techniques” and “3,075 total tests” on six systems; “every agent is exposed to 5 or more of V1–V8,” and “each of V1–V8 affects at least 3 out of 6 tested systems” (Wang et al., 7 Jun 2026). The reported security metrics are Blast Radius (BR), Relative Error (RE), Resource Amplification Ratio (RAR), and Attack Success Rate (ASR) (Wang et al., 7 Jun 2026). This suggests that VAI in data-agent systems requires simultaneous reasoning about prompt interpretation, backend execution semantics, and session-level policy effects rather than isolated prompt-injection detection.

A related MCP-centered red-teaming study identifies “a novel vulnerability class” in which “benign, individually authorized tasks can be orchestrated to produce harmful emergent behaviors” (Noever, 27 Aug 2025). It surveys “95 agents tested” and highlights an “attack surface that grows exponentially with each new service integrated” (Noever, 27 Aug 2025). With “271 total tasks,” the pairwise combinatorial space is

A=(n2)=n(n1)2=36,585,A = \binom{n}{2} = \frac{n\cdot(n-1)}{2} = 36{,}585,

and the proposed evaluation directions include “Compositional Overflow Experiments,” “Capability Combination Testing,” and “Adversarial Benchmark Construction” (Noever, 27 Aug 2025).

5. Identity, provenance, attack-graph modeling, and detection-in-depth

One response to VAI in agent ecosystems is to make agent identity and delegation verifiable. BAID proposes “a comprehensive identity infrastructure establishing verifiable user-code binding” through “local binding via biometric authentication,” “decentralized on-chain identity management,” and “a novel zkVM-based Code-Level Authentication protocol” (Lin et al., 19 Dec 2025). Its AgentID is defined as

AgentID=agentid:H(nameCPH(profile)userIDothers),\mathsf{AgentID} = \text{agentid}: H(\text{name} \| C_P \| H(\text{profile}) \| \text{userID} \| \text{others}),

where CPC_P is the commitment to the agent’s binary program code (Lin et al., 19 Dec 2025). The reported guarantees are “operator identity,” “agent configuration integrity,” “execution provenance,” “code-identity binding,” and “permission boundary,” and the prototype reports “390k–507k gas for registration,” proof generation “under 40s per phase,” proof size “under 1.2 MB for 3+ steps,” and “verification latency” of “14–93 ms” (Lin et al., 19 Dec 2025).

AIP addresses the absence of authenticated delegation across MCP and A2A. After scanning “approximately 2,000 MCP servers,” the authors report that “all lacked authentication” (Prakash, 25 Mar 2026). The protocol introduces Invocation-Bound Capability Tokens (IBCTs) in two wire formats: “compact mode (a signed JWT for single-hop cases)” and “chained mode (a Biscuit token with Datalog policies for multi-hop delegation)” (Prakash, 25 Mar 2026). In evaluation, “Compact mode verification takes 0.049ms (Rust) and 0.189ms (Python), with 0.22ms overhead over no-auth in real MCP-over-HTTP deployment,” while in a real deployment with Gemini 2.5 Flash, AIP adds “2.35ms of overhead (0.086% of total end-to-end latency)” (Prakash, 25 Mar 2026). Across “600 attack attempts,” AIP shows a “100% rejection rate,” including “delegation depth violation and audit evasion through empty context” that were “uniquely caught by AIP's chained delegation model” (Prakash, 25 Mar 2026).

Attack-graph approaches address VAI from the perspective of system topology and exploit propagation. ATAG extends “the MulVAL logic-based AG generation tool with custom facts and interaction rules to accurately represent AI-agent topologies, vulnerabilities, and attack scenarios,” and introduces the LLM vulnerability database (LVD) to begin standardizing vulnerability documentation (Gandhi et al., 3 Jun 2025). The framework models agents, their interactions, and vulnerabilities as MulVAL facts and uses custom Datalog-style rules to infer which agents are vulnerable to prompt injection, excessive agency, and related attack paths (Gandhi et al., 3 Jun 2025). Its case studies show that attack graphs can “identify, visualize, and prioritize” vulnerable agents and multi-step paths in multi-agent applications (Gandhi et al., 3 Jun 2025).

At the ecosystem level, “Detecting Offensive Cyber Agents” argues that defenders face a “detection gap between offensive cyber agents and traditional cyber capabilities” and proposes detection-in-depth as a strategic framework (Mittelsteadt et al., 21 May 2026). The framework is organized around three core functions—Discovery (Signal Generation), Analysis (Interpretation), and Coordination (Systemic Action)—and five mechanisms: Agent Identifiers for Critical Infrastructure, Agent Honeypots, AI-Automated Alert Analysis and Triage, An Agentic Security Alert Standard, and An Agentic Cybersecurity Exchange (ACE) (Mittelsteadt et al., 21 May 2026). This suggests that VAI at deployment scale is inseparable from identity, telemetry, correlation, and information-sharing infrastructure.

6. Large-scale multi-agent control, infrastructure resilience, and operational triage

In large-scale multi-agent reinforcement learning, VAI is formalized as the problem of finding the subset of agents whose compromise maximally degrades overall performance. The task is posed as a Hierarchical Adversarial Decentralized Mean Field Control (HAD-MFC) problem with an NP-hard upper-level selection problem and a lower-level adversarial policy problem (Li et al., 18 Sep 2025). The objective is

minKN,K=kminπαJ(πα,πβ),\min_{\mathcal{K} \subseteq \mathcal{N}, |\mathcal{K}|=k} \min_{\pi_\alpha} J(\pi_\alpha, \pi_\beta),

and the upper-level reformulation uses dense rewards

rk=1NiN(Vi(s0i,μ0,ϵki,ξk)Vi(s0i,μ0,ϵk1i,ξk1)).r_k = \frac{1}{N} \sum_{i \in \mathcal N} \Big(V^i(s^i_0, \mu_0, \epsilon^i_k, \xi_k) - V^i(s^i_0, \mu_0, \epsilon^i_{k-1}, \xi_{k-1})\Big).

The paper states that the decomposition “provably preserves the optimal solution of the original HAD-MFC,” and reports that the method outperforms baselines in “17 out of 18 tasks,” with predicted value strongly correlated with realized damage: “Pearson's r=0.97r=0.97 for Battle” and “Score(fi)=w1Risk0+w2Eistat+w3Eictx+w4Eiagt+w5Eidynw6Eictr.\operatorname{Score}(f_i) = w_1 \operatorname{Risk}_0 + w_2 E_i^{\text{stat}} + w_3 E_i^{\text{ctx}} + w_4 E_i^{\text{agt}} + w_5 E_i^{\text{dyn}} - w_6 E_i^{\text{ctr}}.0 for Taxi, both Score(fi)=w1Risk0+w2Eistat+w3Eictx+w4Eiagt+w5Eidynw6Eictr.\operatorname{Score}(f_i) = w_1 \operatorname{Risk}_0 + w_2 E_i^{\text{stat}} + w_3 E_i^{\text{ctx}} + w_4 E_i^{\text{agt}} + w_5 E_i^{\text{dyn}} - w_6 E_i^{\text{ctr}}.1” (Li et al., 18 Sep 2025).

In smart-grid resilience, the analogous problem is to identify the K-most vulnerable entities in a multi-layered power-and-communication network. The Modified Implicative Interdependency Model (MIIM) represents entities with three states—“0: No operation,” “1: Reduced operation,” and “2: Full operation”—and uses min-AND, max-OR, and new-XOR operators to encode interdependency relations (Roy et al., 2020). Because the problem is “NP complete,” the paper gives an “Integer Linear Programming (ILP) based solution” validated on an “IEEE 14-Bus” system using “MATPOWER and Java Network Simulator (JNS)” (Roy et al., 2020). The reported conclusion is that “MIIM matches simulation in all tested scenarios,” whereas IIM overestimates cascading damage (Roy et al., 2020).

Networked-device identification yields yet another VAI instantiation. In IoT security, the pipeline is: “Device-Type Identification,” “Vulnerability Assessment,” and “Mitigation” (Greis et al., 2021). The paper evaluates a CNN and an LSTM for device-type identification from traffic sessions, reporting “97% and 98%” accuracy for the deep models, compared with “82%” for a hand-crafted fingerprinting method, and runtime improvements by “three magnitudes” (Greis et al., 2021). The CNN session-level result is 0.982 accuracy, 0.985 precision, and 0.983 recall, and SHAP analysis indicates that CNNs exploit features beyond headers, including encrypted traffic bytes (Greis et al., 2021). Here, VAI is operationalized by identifying device type first and then querying vulnerability databases such as CVE.

Operational vulnerability management adds a triage and prioritization layer. AgenticVM is a multi-agent framework for “detection, assessment, prioritization, and reporting” that combines “rule-based processing,” a “BERT-based CVSS prediction module,” and “specialised LLM-driven agents” (Arifin et al., 3 May 2026). The architecture includes Detection Agent, Assessment Agent, Prediction Agent, Integration Agent, Prioritization Agent, and Recommendation Agent (Arifin et al., 3 May 2026). Across evaluation scenarios, it reports “up to 98% alert reduction (e.g., from 3,983 findings to 82 high-priority items)” and “89.3% accuracy” for predicting missing CVSS attributes (Arifin et al., 3 May 2026). This suggests that in operational environments VAI is not only an identification problem, but also a workload-management and risk-queue construction problem.

Across the surveyed literature, VAI therefore denotes a technically heterogeneous but structurally related class of tasks: context-dependent identification of vulnerable subjects in machine learning, evidence-driven localization of vulnerable code and commits, auditing of agent applications and services, cryptographic verification of agent identity and delegation, and ranking of agents or entities whose failure most strongly propagates through large systems. The unifying concern is not a single benchmark or protocol, but the rigorous identification of consequential vulnerability under realistic context, interaction, and scale.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (19)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Vulnerable Agent Identification (VAI).