scan.json (29521B)
1 { 2 "paper": { 3 "title": "The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multistep Malware Delivery Mechanism", 4 "authors": ["Oleg Brodt", "Elad Feldman", "Bruce Schneier", "Ben Nassi"], 5 "year": 2026, 6 "venue": "arXiv", 7 "arxiv_id": "2601.09625" 8 }, 9 "scan_version": 3, 10 "active_modules": ["survey_methodology"], 11 "methodology_tags": ["meta-analysis", "theoretical"], 12 "key_findings": "The paper introduces 'promptware' as a new class of malware execution mechanism triggered through prompts and proposes a seven-stage kill chain (Initial Access, Privilege Escalation, Reconnaissance, Persistence, C2, Lateral Movement, Actions on Objective). Analysis of 36 documented incidents from 2023–2026 shows kill chain coverage increased from 2–3 stages in 2023 to routinely 4+ stages in 2025–2026, with 22 attacks traversing four or more stages. The paper also finds that existing defenses focus disproportionately on initial access and privilege escalation while neglecting lateral movement, C2, reconnaissance, and action-on-objective stages.", 13 "checklist": { 14 "artifacts": { 15 "code_released": { 16 "applies": true, 17 "answer": false, 18 "justification": "The Open Science section explicitly states: 'Since no code was developed, we do not have additional artifacts to share beyond the paper.' No repository or supplementary materials are provided." 19 }, 20 "data_released": { 21 "applies": true, 22 "answer": false, 23 "justification": "The 36 incidents are catalogued in Table II within the paper, but no structured dataset, CSV, or machine-readable format is released separately. A survey can release its analysis corpus; this one did not." 24 }, 25 "environment_specified": { 26 "applies": true, 27 "answer": false, 28 "justification": "No code or computational environment was used. The paper is a purely analytical SoK with no software artifacts requiring environment specification, but it could have provided analysis scripts; it explicitly states none exist." 29 }, 30 "reproduction_instructions": { 31 "applies": true, 32 "answer": false, 33 "justification": "No reproduction instructions are provided. The paper does not describe how to reproduce the incident classification or kill chain analysis beyond the narrative in the paper itself." 34 } 35 }, 36 "statistical_methodology": { 37 "confidence_intervals_or_error_bars": { 38 "applies": false, 39 "answer": false, 40 "justification": "Survey/SoK paper with simple counts and tabulations (Table III). No statistical inference is performed that would require confidence intervals." 41 }, 42 "significance_tests": { 43 "applies": false, 44 "answer": false, 45 "justification": "No comparative statistical claims are made. The paper reports descriptive counts of kill chain stages across time periods without testing for statistical significance." 46 }, 47 "effect_sizes_reported": { 48 "applies": false, 49 "answer": false, 50 "justification": "Survey/SoK paper with no experiments. The analysis is descriptive categorization, not effect measurement." 51 }, 52 "sample_size_justified": { 53 "applies": false, 54 "answer": false, 55 "justification": "Survey/SoK paper. The sample of 36 incidents is not justified through power analysis or formal methodology—this is typical for SoK papers but not ideal." 56 }, 57 "variance_reported": { 58 "applies": false, 59 "answer": false, 60 "justification": "No experiments producing variable results. The kill chain classifications are deterministic categorizations, not measurements with variance." 61 } 62 }, 63 "evaluation_design": { 64 "baselines_included": { 65 "applies": true, 66 "answer": true, 67 "justification": "The paper compares against seven prior surveys [12]–[18] in the Introduction, arguing they are 'narrow in scope for three primary reasons' and identifying specific gaps: failure to recognize multistep evolution, focus on only initial phases, and lack of defense-in-depth perspective." 68 }, 69 "baselines_contemporary": { 70 "applies": true, 71 "answer": true, 72 "justification": "The compared surveys span 2024–2025 (refs [12]–[18]), which are contemporary to the paper's 2026 publication. These include JailbreakZoo [12], JailbreakRadar [13], DAN characterization [14], prompt injection defense evaluation [15], design patterns for LLM agents [16], jailbreak guardrails SoK [17], and prompt security taxonomy [18]." 73 }, 74 "ablation_study": { 75 "applies": false, 76 "answer": false, 77 "justification": "No system with components to ablate. This is a conceptual framework paper, not an engineering contribution." 78 }, 79 "multiple_metrics": { 80 "applies": false, 81 "answer": false, 82 "justification": "No experiments with quantitative metrics. The analysis uses categorical classification (kill chain stages) rather than measured metrics." 83 }, 84 "human_evaluation": { 85 "applies": false, 86 "answer": false, 87 "justification": "No system outputs to evaluate. This is a survey/framework paper with no experimental system." 88 }, 89 "held_out_test_set": { 90 "applies": false, 91 "answer": false, 92 "justification": "No experimental evaluation requiring train/test splits." 93 }, 94 "per_category_breakdown": { 95 "applies": true, 96 "answer": true, 97 "justification": "Table II provides per-incident breakdowns across all seven kill chain stages, and Table III summarizes stage distribution by time period (2023, 2024, 2025–2026). Section IV also breaks down by category (enterprise AI, coding assistants, AI worms, etc.)." 98 }, 99 "failure_cases_discussed": { 100 "applies": true, 101 "answer": true, 102 "justification": "The paper explicitly acknowledges framework limitations: 'We do not claim that the seven-step kill chain model captures every possible attack scenario, nor that the boundaries between stages are always sharp' (Section III). It also notes no attack achieved all 7 stages, and reconnaissance is rarely demonstrated." 103 }, 104 "negative_results_reported": { 105 "applies": true, 106 "answer": true, 107 "justification": "The paper reports several negative findings: no attack achieved all 7 kill chain stages (max is 5), promptware-native C2 was observed in only 2 of 36 incidents, reconnaissance was explicitly demonstrated in only 1 case (APwT), and strong prevention mechanisms all impose significant usability costs (Section V.G)." 108 } 109 }, 110 "claims_and_evidence": { 111 "abstract_claims_supported": { 112 "applies": true, 113 "answer": true, 114 "justification": "The abstract claims (1) prompt injections evolved into promptware (argued in Section II), (2) seven-stage kill chain introduced (Section III), (3) at least 21 attacks traverse 4+ stages—Table III shows 22 (13 at 4 stages + 9 at 5 stages), and (4) defense-in-depth reviewed (Section V). All abstract claims are supported by the paper's content." 115 }, 116 "causal_claims_justified": { 117 "applies": true, 118 "answer": false, 119 "justification": "The paper claims prompt injections 'evolved into' promptware and that kill chain coverage 'increased steadily over time.' These temporal claims are based on observational data from 36 hand-selected incidents without controlling for confounds such as increased researcher attention, selection bias in incident reporting, or the growing ecosystem of LLM applications creating more attack surface." 120 }, 121 "generalization_bounded": { 122 "applies": true, 123 "answer": false, 124 "justification": "The paper generalizes from 36 selected incidents to broad claims about 'LLM applications' and the evolution of 'promptware' as a class. The incidents are described as 'prominent' without defining selection criteria. The title claims prompt injections 'evolved into a multistep malware delivery mechanism' broadly, but the evidence comes from a hand-picked sample that may not represent the full landscape of attacks." 125 }, 126 "alternative_explanations_discussed": { 127 "applies": true, 128 "answer": false, 129 "justification": "The paper does not discuss alternative explanations for the observed evolution pattern. For example, it doesn't consider whether increasing kill chain coverage reflects researcher focus on finding more stages rather than actual attacker sophistication, whether the selection of 'prominent' incidents biases toward complex attacks, or whether the growth in LLM application capabilities (not attacker innovation) drives the observed pattern." 130 }, 131 "proxy_outcome_distinction": { 132 "applies": true, 133 "answer": false, 134 "justification": "The paper uses 'kill chain coverage' (number of stages observed in an incident) as a proxy for attack sophistication and threat severity. It does not discuss whether kill chain coverage is an adequate measure—an attack traversing 5 stages is not necessarily more dangerous than a 2-stage attack that achieves devastating RCE. The mapping from stage count to threat level is assumed, not justified." 135 } 136 }, 137 "setup_transparency": { 138 "model_versions_specified": { 139 "applies": false, 140 "answer": false, 141 "justification": "No models are used in this survey/SoK paper." 142 }, 143 "prompts_provided": { 144 "applies": false, 145 "answer": false, 146 "justification": "No prompting is used. The paper analyzes attacks but does not conduct any LLM experiments." 147 }, 148 "hyperparameters_reported": { 149 "applies": false, 150 "answer": false, 151 "justification": "No experiments or model usage requiring hyperparameter reporting." 152 }, 153 "scaffolding_described": { 154 "applies": false, 155 "answer": false, 156 "justification": "No agentic scaffolding is used. This is a survey/framework paper." 157 }, 158 "data_preprocessing_documented": { 159 "applies": true, 160 "answer": false, 161 "justification": "The paper states it 'analyzed thirty-six documented incidents and studies from February 2023 through January 2026' but does not describe how these 36 were identified or selected from the broader universe of prompt injection incidents. No search strategy, databases queried, or inclusion/exclusion criteria are stated. The incidents are described as 'prominent' without defining what constitutes prominence." 162 } 163 }, 164 "limitations_and_scope": { 165 "limitations_section_present": { 166 "applies": true, 167 "answer": false, 168 "justification": "There is no dedicated limitations or threats-to-validity section. The Ethical Considerations appendix only notes no experiments were performed. The Discussion (Section VI) presents four contributions but does not discuss limitations. Brief disclaimers are scattered in Section III ('We do not claim...') but there is no substantive concentrated discussion." 169 }, 170 "threats_to_validity_specific": { 171 "applies": true, 172 "answer": false, 173 "justification": "No threats to validity are discussed. The paper doesn't address selection bias in incident choice, potential for the evolution narrative to be an artifact of researcher attention, survivorship bias (only documented/discovered attacks are analyzed), or the reliability of classifying incidents into kill chain stages." 174 }, 175 "scope_boundaries_stated": { 176 "applies": true, 177 "answer": true, 178 "justification": "The paper explicitly states specific scope boundaries: 'We explicitly exclude traditional software exploits, such as buffer overflows in LLM-enabled applications that rely on memory corruption, from the definition of promptware' (Section II). It also acknowledges: 'We do not claim that the seven-step kill chain model captures every possible attack scenario, nor that the boundaries between stages are always sharp. Attackers may skip stages, combine them, merge them' (Section III)." 179 } 180 }, 181 "data_integrity": { 182 "raw_data_available": { 183 "applies": true, 184 "answer": false, 185 "justification": "The incident classifications are presented only in Table II within the paper. No downloadable dataset, supplementary spreadsheet, or machine-readable format is provided for independent verification of the kill chain classifications." 186 }, 187 "data_collection_described": { 188 "applies": true, 189 "answer": false, 190 "justification": "The paper does not describe how the 36 incidents were identified. No search databases, keywords, or systematic methodology is reported. The time range (February 2023 to January 2026) is stated, but the collection procedure itself is undocumented." 191 }, 192 "recruitment_methods_described": { 193 "applies": true, 194 "answer": false, 195 "justification": "The method for selecting the 36 incidents from the broader universe of prompt injection incidents/research is not described. No inclusion/exclusion criteria, search strategy, or sampling approach is documented. The incidents are called 'prominent' without defining the term." 196 }, 197 "data_pipeline_documented": { 198 "applies": true, 199 "answer": false, 200 "justification": "No documentation of how incidents were identified, filtered, classified into kill chain stages, or validated. The classification methodology (how the authors determined which kill chain stages an incident demonstrates) is not formally described." 201 } 202 }, 203 "conflicts_of_interest": { 204 "funding_disclosed": { 205 "applies": true, 206 "answer": false, 207 "justification": "No funding or acknowledgments section appears in the paper. No grants, sponsors, or funding agencies are mentioned anywhere." 208 }, 209 "affiliations_disclosed": { 210 "applies": true, 211 "answer": true, 212 "justification": "Author affiliations are clearly listed: Ben-Gurion University of the Negev, Tel Aviv University, Harvard Kennedy School, and University of Toronto." 213 }, 214 "funder_independent_of_outcome": { 215 "applies": true, 216 "answer": false, 217 "justification": "No funding is disclosed, so funder independence cannot be assessed. The absence of a funding statement makes this unanswerable." 218 }, 219 "financial_interests_declared": { 220 "applies": true, 221 "answer": false, 222 "justification": "No competing interests or financial disclosure statement is present in the paper." 223 } 224 }, 225 "contamination": { 226 "training_cutoff_stated": { 227 "applies": false, 228 "answer": false, 229 "justification": "Survey/SoK paper that does not evaluate any pre-trained model's capability on a benchmark." 230 }, 231 "train_test_overlap_discussed": { 232 "applies": false, 233 "answer": false, 234 "justification": "Survey/SoK paper with no model evaluation or benchmark testing." 235 }, 236 "benchmark_contamination_addressed": { 237 "applies": false, 238 "answer": false, 239 "justification": "Survey/SoK paper with no benchmark evaluation." 240 } 241 }, 242 "human_studies": { 243 "pre_registered": { 244 "applies": false, 245 "answer": false, 246 "justification": "No human participants. The paper is a survey/SoK analyzing published incidents and studies." 247 }, 248 "irb_or_ethics_approval": { 249 "applies": false, 250 "answer": false, 251 "justification": "No human participants. The Ethical Considerations section explicitly states: 'no experiments have been performed that required ethical considerations.'" 252 }, 253 "demographics_reported": { 254 "applies": false, 255 "answer": false, 256 "justification": "No human participants in this survey/SoK paper." 257 }, 258 "inclusion_exclusion_criteria": { 259 "applies": false, 260 "answer": false, 261 "justification": "No human participants in this survey/SoK paper." 262 }, 263 "randomization_described": { 264 "applies": false, 265 "answer": false, 266 "justification": "No human participants or experimental conditions in this survey/SoK paper." 267 }, 268 "blinding_described": { 269 "applies": false, 270 "answer": false, 271 "justification": "No human participants or experimental conditions in this survey/SoK paper." 272 }, 273 "attrition_reported": { 274 "applies": false, 275 "answer": false, 276 "justification": "No human participants in this survey/SoK paper." 277 } 278 }, 279 "cost_and_practicality": { 280 "inference_cost_reported": { 281 "applies": false, 282 "answer": false, 283 "justification": "Survey/SoK paper with no computational method or model usage." 284 }, 285 "compute_budget_stated": { 286 "applies": false, 287 "answer": false, 288 "justification": "Survey/SoK paper with no computational experiments." 289 } 290 }, 291 "survey_methodology": { 292 "prisma_or_structured_protocol": { 293 "applies": true, 294 "answer": false, 295 "justification": "No PRISMA diagram, no structured review protocol, no reproducible search queries, and no protocol registration. The 36 incidents appear to be selected based on the authors' domain knowledge rather than a systematic search methodology." 296 }, 297 "quality_assessment_of_sources": { 298 "applies": true, 299 "answer": false, 300 "justification": "The survey treats all 36 sources—blog posts (e.g., Embrace The Red), security advisories, conference talks, and peer-reviewed papers—as equivalent evidence without any quality assessment or risk-of-bias evaluation. A blog post vulnerability disclosure carries the same weight as a CCS paper." 301 }, 302 "publication_bias_discussed": { 303 "applies": true, 304 "answer": false, 305 "justification": "No discussion of publication or reporting bias. The paper does not consider whether documented incidents are biased toward successful or dramatic attacks, whether failed or partial attacks go unreported, or whether the security research community's focus on novel attack demonstrations skews the sample." 306 } 307 } 308 }, 309 "claims": [ 310 { 311 "claim": "Prompt injections have evolved from isolated exploits into multistep malware delivery mechanisms (promptware) following a structured seven-stage kill chain.", 312 "evidence": "Section II argues that prompt injection shares characteristics with script injection (application-wide blast radius, RCE capability) more than SQL injection. Section III defines seven kill chain stages with examples from the literature. Table I provides a systematic comparison across 10 dimensions.", 313 "supported": "moderate" 314 }, 315 { 316 "claim": "At least 21 documented attacks traverse four or more stages of the promptware kill chain.", 317 "evidence": "Table III tallies: 13 attacks at 4 stages + 9 attacks at 5 stages = 22 total at 4+ stages across 36 analyzed incidents. Table II provides per-incident classification.", 318 "supported": "moderate" 319 }, 320 { 321 "claim": "Kill chain coverage has increased steadily over time, from 2–3 stages in 2023 to routinely 4+ stages in 2025–2026.", 322 "evidence": "Table III shows: 2023 had 0 attacks at 4+ stages (out of 3), 2024 had 7 (out of 12), and 2025–2026 had 15 (out of 21). Section IV.A provides chronological narrative of this evolution.", 323 "supported": "moderate" 324 }, 325 { 326 "claim": "AI worms show the highest kill chain coverage of any attack category, with two of three achieving five stages.", 327 "evidence": "Section IV.A.3 states this directly. Table II confirms Morris II Worm and AgentHopper both reached 5 stages (Initial Access, Privilege Escalation, Persistence, Lateral Movement, Action on Objective).", 328 "supported": "moderate" 329 }, 330 { 331 "claim": "Existing defenses disproportionately address initial access and privilege escalation while neglecting later kill chain stages.", 332 "evidence": "Table IV shows numerous mitigations for IA and PE, but only 3 for lateral movement, 3 for C2, 0 for reconnaissance, and 7 for action on objective. Section V.G explicitly concludes 'much less attention has been given to the development of mitigations against lateral movement, C2, reconnaissance and action on objective.'", 333 "supported": "strong" 334 }, 335 { 336 "claim": "All prevention mechanisms significantly impact usability, creating an inherent tension between security and functionality.", 337 "evidence": "Section V.G and Table IV show that instruction-data separation (P), action sandboxing (P), and policy grounding (P/M) all have medium to high usability impact. The paper concludes: 'strong prevention comes at the cost of usability' and 'all prevention mechanisms significantly impact usability.'", 338 "supported": "moderate" 339 } 340 ], 341 "red_flags": [ 342 { 343 "flag": "No structured selection methodology for incidents", 344 "detail": "The 36 incidents are described as 'prominent' without defining inclusion/exclusion criteria, search databases, or selection methodology. This creates risk of cherry-picking incidents that support the evolution narrative while omitting incidents that don't fit the framework." 345 }, 346 { 347 "flag": "Self-citation concern", 348 "detail": "Co-author Ben Nassi is an author on several of the analyzed incidents, including Morris II Worm [7], APwT [37], and 'Invitation Is All You Need' [6]. The kill chain framework is partly built on and validated by the authors' own prior work, which could bias the analysis toward incidents that fit the proposed model." 349 }, 350 { 351 "flag": "No quality assessment of heterogeneous sources", 352 "detail": "Blog posts (Embrace The Red), security vendor advisories (PromptArmor, Noma Security), conference talks (39C3), and peer-reviewed papers (ACM CCS) are all treated as equivalent evidence. A vulnerability demo in a blog post has different evidentiary weight than a peer-reviewed study, but both contribute equally to the kill chain analysis." 353 }, 354 { 355 "flag": "No limitations section", 356 "detail": "For a paper proposing a comprehensive security framework from 36 selected incidents, the absence of a dedicated limitations section is notable. Key unaddressed threats include selection bias, the reliability of multi-author kill chain classification, and whether the evolution pattern reflects genuine attacker sophistication vs. increased researcher attention." 357 }, 358 { 359 "flag": "Evolution narrative may be artifact of observation bias", 360 "detail": "The increasing kill chain coverage over time (Table III) could reflect researchers looking for more stages in newer work rather than actual attack evolution. Earlier incidents may have had more stages that simply went undocumented. The paper does not address this confound." 361 } 362 ], 363 "cited_papers": [ 364 { 365 "title": "Not what you've signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection", 366 "authors": ["K. Greshake", "S. Abdelnabi", "S. Mishra", "C. Endres", "T. Holz", "M. Fritz"], 367 "year": 2023, 368 "relevance": "Foundational work on indirect prompt injection against production LLM applications (Bing Chat, GPT plugins), demonstrating data exfiltration via poisoned web pages." 369 }, 370 { 371 "title": "Here comes the AI worm: Preventing the propagation of adversarial self-replicating prompts within GenAI ecosystems", 372 "authors": ["S. Cohen", "R. Bitton", "B. Nassi"], 373 "year": 2025, 374 "relevance": "First demonstration of AI worms (Morris II) with self-replicating prompt injection across email assistants, achieving 5 kill chain stages." 375 }, 376 { 377 "title": "Universal and transferable adversarial attacks on aligned language models", 378 "authors": ["A. Zou", "Z. Wang", "N. Carlini", "M. Nasr", "J. Z. Kolter", "M. Fredrikson"], 379 "year": 2023, 380 "arxiv_id": "2307.15043", 381 "relevance": "Demonstrated universal adversarial suffixes that transfer across multiple LLMs, representing a key escalation in jailbreaking capability." 382 }, 383 { 384 "title": "Design patterns for securing LLM agents against prompt injections", 385 "authors": ["L. Beurer-Kellner", "B. Buesser", "A.-M. Crețu"], 386 "year": 2025, 387 "arxiv_id": "2506.08837", 388 "relevance": "Proposes architectural design patterns including plan-then-execute pipelines as structural defenses against prompt injection in LLM agents." 389 }, 390 { 391 "title": "Jailbroken: How does LLM safety training fail?", 392 "authors": ["A. Wei", "N. Haghtalab", "J. Steinhardt"], 393 "year": 2023, 394 "relevance": "Analyzes failure modes of LLM safety alignment training, relevant to understanding why privilege escalation via jailbreaking persists." 395 }, 396 { 397 "title": "NeMo Guardrails: A toolkit for controllable and safe LLM applications with programmable rails", 398 "authors": ["T. Rebedea", "R. Dinu", "M. N. Sreedhar", "C. Parisien", "J. Cohen"], 399 "year": 2023, 400 "relevance": "Provides programmable policy enforcement for LLM applications, directly relevant to defense-in-depth against promptware." 401 }, 402 { 403 "title": "IsolateGPT: An execution isolation architecture for LLM-based agentic systems", 404 "authors": ["Y. Wu", "F. Roesner", "T. Kohno", "N. Zhang", "U. Iqbal"], 405 "year": 2024, 406 "arxiv_id": "2403.04960", 407 "relevance": "Proposes component isolation architecture to mitigate lateral movement in LLM agentic systems." 408 }, 409 { 410 "title": "Prompt infection: LLM-to-LLM prompt injection within multi-agent systems", 411 "authors": ["D. Lee", "M. Tiwari"], 412 "year": 2024, 413 "arxiv_id": "2410.07283", 414 "relevance": "Demonstrates cross-agent prompt injection propagation in multi-agent systems, directly relevant to lateral movement in the kill chain." 415 }, 416 { 417 "title": "A jailbroken GenAI model can cause substantial harm: GenAI-powered applications are vulnerable to promptwares", 418 "authors": ["S. Cohen", "R. Bitton", "B. Nassi"], 419 "year": 2024, 420 "arxiv_id": "2408.05061", 421 "relevance": "First demonstration of reconnaissance stage in promptware, where injected prompts dynamically probe the host application's context." 422 }, 423 { 424 "title": "AirGapAgent: Protecting privacy-conscious conversational agents", 425 "authors": ["E. Bagdasarian", "R. Yi", "S. Ghalebikesabi"], 426 "year": 2024, 427 "relevance": "Proposes task-conditioned data minimization architecture to protect against data exfiltration in LLM agents." 428 }, 429 { 430 "title": "SoK: Taxonomy and evaluation of prompt security in large language models", 431 "authors": ["H. Hong", "S. Feng", "N. Naderloui"], 432 "year": 2025, 433 "arxiv_id": "2510.15476", 434 "relevance": "Comprehensive taxonomy of prompt security attacks and defenses, one of the baseline surveys this paper positions against." 435 }, 436 { 437 "title": "AgentRIM: Tool risk mitigation for agentic AI", 438 "authors": ["R. Betser", "S. Bose", "A. Giloni"], 439 "year": 2026, 440 "arxiv_id": "2601.12449", 441 "relevance": "Proposes least-privilege tool access control for AI agents, directly relevant to mitigating lateral movement and action-on-objective stages." 442 }, 443 { 444 "title": "Firewalls to secure dynamic LLM agentic networks", 445 "authors": ["S. Abdelnabi", "A. Gomaa", "E. Bagdasarian"], 446 "year": 2025, 447 "arxiv_id": "2502.01822", 448 "relevance": "Proposes prompt injection sanitizer firewalls for LLM agent networks, addressing initial access defense in the kill chain." 449 } 450 ], 451 "engagement_factors": { 452 "practical_relevance": { 453 "score": 2, 454 "justification": "The kill chain framework and defense-in-depth assessment (Table IV) are directly useful for security practitioners designing LLM application architectures, though the paper provides no tools or code." 455 }, 456 "surprise_contrarian": { 457 "score": 2, 458 "justification": "Directly challenges the widely-held 'prompt injection = SQL injection' analogy, arguing this framing 'dangerously understates' the threat and citing NCSC agreement." 459 }, 460 "fear_safety": { 461 "score": 3, 462 "justification": "Catalogs escalating real-world attacks on production systems including IoT surveillance via Google Assistant, $47K cryptocurrency theft, RCE on AI coding assistants, and self-propagating AI worms." 463 }, 464 "drama_conflict": { 465 "score": 2, 466 "justification": "Strong 'the industry is getting this wrong' framing—prompt injection is 'dangerously misunderstood' per NCSC, and existing defenses are insufficient for the full kill chain." 467 }, 468 "demo_ability": { 469 "score": 0, 470 "justification": "Purely conceptual framework paper with no code, tools, or demo. The Open Science section confirms no artifacts exist." 471 }, 472 "brand_recognition": { 473 "score": 2, 474 "justification": "Bruce Schneier (famous cryptographer and security commentator) is a co-author. Attacks analyzed target ChatGPT, Google Assistant, GitHub Copilot, and Microsoft Copilot." 475 } 476 } 477 }