Skills
Strict data-flow tracking is the only defense that zeroes out ADI — spend its utility cost only on code execution and money
In the paper's defense matrix, CaMeL with strict propagation policies is the sole configuration reaching 0% ADI attack success, but utility collapses from 81.4% to 36.5%. Progent-style argument sandboxing lands at 22.2% ASR while holding 81.4% utility, and CaMeL with no policy sits at 25.0% because untrusted data still flows through the quarantine LLM. The practical read: run strict data-flow tracking on the two workflows where a corrupted resource identifier is unrecoverable — code execution and financial transactions — and take argument-constraining sandboxing everywhere else.
↳ Follow the thread