Agentic safety triggers aren't textual safety triggers - MCP attacks that beat SOTA guardrails more than half the time (code + dataset) [R]
The Problem: Textual Safety Triggers Miss Agentic Attacks
Most safety alignment work treats "detect the attack" as a text classification problem - does the prompt contain language the model's safety guardrails should catch. That assumption breaks down for LLM agents with real tool access.
A Concrete Example
Here's a concrete case: take a known, public security vulnerability (a CVE), work out the sequence of tool calls that would exploit it, then have an LLM rewrite that as an ordinary-sounding request. Nothing in the resulting text looks like an attack - because the "attack" isn't in the text, it's in the tool-call sequence the text leads to. A model whose guardrails only trigger on textual cues has nothing to catch.
Experimental Results
We tested this against LLM agents using Model Context Protocol (MCP) tool access (filesystem IO):
- No base model (1Bโ14B parameters) refused more than 35% of these attacks
- SOTA safety-tuning (DPO, SafeDPO) only pushed that to 48%
- Training-free methods do better - one gets to roughly 3x the baseline refusal rate with no fine-tuning run at all
Resources
Full methodology, training/eval code (four methods), dataset, and papers in the first comment.
Comments
No comments yet. Start the discussion.