SpecShield: A Structural Trusted Monitor for Tool-Using AI Agents

Nhi Dinh

SpecShield builds a structural monitor to make tool-using AI agents safer against prompt injection. Instead of judging text, it checks actions using taint, provenance, approval, and recipient rules. The key result is that safety depends on provenance quality: the monitor works well with good provenance and degrades gradually as provenance becomes noisy.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

Good evidence supporting the importance of provenance. Found quite a few things to be very relevant - comparison between different modes, cost benefits of gated over hybrid, and deployment recommendations. But I'm confused about the results in 4.2 - it appears from the scores that the structural monitor beats the gated setup in all 4 measured axes but the paper recommends gated over just structural. Is this a limitation of what was tested?

Shifting the question from "can we detect a bad instruction?" to "did this action have proper human approval?" is a genuinely clever idea, and showing exactly how much safety you lose as that approval signal gets noisier is the kind of honest, practical result teams can actually use. The biggest next step is testing whether you can reliably generate that approval signal in a real system — right now it's assumed to exist, but building and measuring it is where the real-world impact lies. A simple one-page diagram showing how a request moves through your system from start to final decision would also go a long way in helping more people understand and adopt this work.

This is a strong and well-motivated exploration of action-level safety for tool-using agents. The project correctly shifts attention from moderating model text to authorizing consequential actions, and the structural approach—typed tool fields, taint, trusted approval provenance, destination allow-lists, and deny-overrides aggregation—is auditable and potentially easier to reason about than a purely semantic LLM monitor. The report is also unusually transparent about conditional guarantees, failed hypotheses, and red-team discoveries. In particular, allowing an optimizing attacker to expose the missing web-sink backstop and then documenting the repair is a valuable engineering contribution.

The central limitation is that the strongest result depends on provenance and taint labels derived from AgentDojo ground truth rather than from a deployed provenance-tracking system. Benign actions are marked user-approved, injected actions are marked untrusted, and private taint is inferred from known benchmark trajectories. These fields contain much of the information required to distinguish safe from unsafe actions, so the reported 17/17 protection result should be described as conditional policy correctness under oracle-quality metadata—not as end-to-end prompt-injection robustness. The most important next experiment is to build or integrate an actual provenance and taint tracker and evaluate the complete pipeline from untrusted input through planning, tool invocation, and authorization.

The provenance-noise experiment is a useful first step, but independent random label flipping does not resemble the failures most likely to occur in real systems. Errors may be correlated across a trajectory, concentrated on adversarial actions, caused by transformations or summaries that drop provenance, or intentionally induced by an attacker. Overall “provenance accuracy” is also insufficient: 90% accuracy could represent mostly benign false alarms or, much more dangerously, systematic false trust on attacks. The evaluation should separately vary attack-side false-trust rates and benign-side false-untrust rates, include targeted and correlated corruption, and test laundering through summaries, copied values, aliases, intermediate files, and multiple tool calls.

The evaluation set also needs clearer accounting and a held-out assessment. The benchmark contains 26 attacks, but the headline enforcement result covers 17 “relevant” attacks. The exclusion criteria for the remaining attacks should be explicitly listed, together with results for every excluded category and an explanation of whether the invariant is intended to cover them. Moreover, the optimizing attacker revealed a web-sink weakness and the rule was then repaired on the same benchmark. This is good iterative development, but the post-repair 100% result may reflect benchmark-specific hardening. The policy should be frozen after red-teaming and evaluated against unseen AgentDojo tasks, another agent-security benchmark, or an independently created hold-out attack suite.

The statistical treatment of the provenance curve should also account for dependence. Pooling 30 seeded trials across the same 75 underlying actions and applying ordinary Wilson intervals treats repeated decisions as more independent than they are, which can make confidence intervals appear artificially tight. Action-level or trajectory-level cluster bootstrapping would provide more defensible uncertainty estimates. The paper should also define precisely how ALLOW, ASK_USER, REVIEW, and BLOCK map to the safety and usefulness metrics. In deployment, escalations are not cost-free: frequent review requests can create user fatigue, approval habituation, or pressure to disable the monitor.

The hybrid-monitor result is promising, but the current evidence does not yet establish a generally disjoint failure structure. After the web-sink repair, the structural layer already reaches 100% on the tested attacks, so the max hybrid inherits that result without demonstrating cases where the LLM independently catches an attack the structural layer misses. A stronger comparison would include semantic attacks with valid-looking structural metadata, ambiguous authorization, deceptive tool descriptions, and policy-relevant intent that cannot be inferred from typed fields alone. The study should then report which cases are uniquely caught by each layer, along with calibrated thresholds, latency, API cost, and susceptibility of the LLM monitor itself to prompt injection.

The threat model should more clearly identify all trusted components. The guarantee depends not only on provenance but also on correct tool schemas, trustworthy taint propagation, an authenticated user-confirmation channel, untampered allow-lists, and a monitor that the agent cannot bypass. Real agent ecosystems increasingly use dynamic MCP or plugin tools whose names and schemas may be misleading or insufficiently specific. The project should define a trusted tool registry, normalize destinations and identities, authenticate approvals outside untrusted content, and test whether an attacker can route data through an allow-listed alias, compromised recipient, URL redirect, nested tool, or apparently harmless intermediate action.

Multi-step composition is another major open area. Many dangerous workflows consist of individually permissible actions: reading private data, summarizing it, writing it to a temporary file, and later sending that file externally. Other harms accumulate through many sub-threshold transfers or through state changes that become dangerous only in combination. Extending taint and authorization across complete trajectories, rather than authorizing calls independently, is essential before the invariant can be treated as representative of autonomous-agent safety.

The Vietnamese and code-switched evaluation is a useful negative result, but “confirmed null” is too strong for 16 attacks with wide intervals and a limited set of model families. The appropriate conclusion is that no language gap was detected in this sample. An equivalence test, preregistered acceptable margin, more items, and additional small or local models would be required to establish practical equivalence.

Overall, SpecShield is a technically substantive and clearly presented project. Its most valuable contribution is the honest reframing of structural safety as a function of provenance quality rather than an unconditional solution to prompt injection. The work would be substantially strengthened by evaluating a real end-to-end provenance tracker, introducing realistic and adversarial provenance failures, freezing the repaired policy before hold-out testing, correcting clustered uncertainty estimates, and extending authorization to multi-step tool trajectories.

scores

| Criterion | Score | Rationale |

| --------------------------------- | ------: | --------------------------------------------------------------------------------------------------------------------------------------------------------- |

| Impact Potential & Innovation | 4.0 | Important action-authorization framing with a useful focus on measurable provenance dependence |

| Execution Quality | 3.5 | Strong prototype, adaptive red-teaming, and reproducible analysis, but the principal guarantee relies on oracle-like provenance and same-benchmark repair |

| Presentation & Clarity | 4.0 | Clear, technically grounded, candid about limitations, and effective at distinguishing conditional from unconditional claims |

Cite this work

@misc {

title={

(HckPrj) SpecShield: A Structural Trusted Monitor for Tool-Using AI Agents

},

author={

Nhi Dinh

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.