Title: Identical Payloads, Divergent Channels: Quantifying Trust Asymmetry in Tool-Utilizing Language Models

Abstract:

As language models increasingly assume agentic functions—such as invoking external APIs, interpreting tool outputs, and executing instructions found within third-party materials—their vulnerability surface extends significantly beyond direct user input. To date, there has been no systematic investigation into whether models respond to malicious directives uniformly, regardless of the delivery channel. This paper introduces the Safety Asymmetry Score (SAS), a metric designed to quantify how a model’s vulnerability to adversarial material fluctuates based on whether the content is embedded in the user message, tool metadata, or tool output. This measurement relies on matched payload pairs, where the malicious text remains constant while only the delivery context varies.

Our evaluation across six production-grade Large Language Models (LLMs) and three distinct attack families reveals a consistent and revealing asymmetry. Agent-native models demonstrate significantly higher susceptibility to adversarial content when it is delivered via tool descriptions compared to user messages; conversely, general-purpose models exhibit the opposite pattern. Furthermore, this dynamic reverses when the same adversarial content is transmitted through tool outputs rather than descriptions. This behavior suggests that models implicitly regard tool metadata as trusted instructions while treating tool results as standard data.

Additionally, a mechanistic analysis of Llama 3.3 70B indicates that safety-relevant representations are causally active at mid-to-late network depths but are encoded in a non-linear fashion, which accounts for the inability of linear probes to detect them. Collectively, these results highlight a systematic, channel-dependent blind spot in the current handling of adversarial content by tool-using models.

Source: arXiv Generated at: 2026-06-02 00:00:00 UTC