Skip to content

Commit cee1048

Browse files
WaylandYangclaude
andcommitted
paper: final pre-arXiv audit — fix 3 stale numbers
Pre-submission audit caught three places where numbers hadn't been updated to the post-AgentDojo / 5-LLM corpus: line 151 (intro Empirical headlines): "660 tool calls" -> 675 also added the AgentDojo attribution that was already in the body but missing here line 525 (OpenAPI reframing in §3): "0--6%" MCP-family -> 0--1% (matches the AgentDojo measurement) line 839 (§6.1 limitations): "two LLMs" -> "five LLMs across four vendors using AgentDojo's attack templates" All other instances were already consistent (verified with grep). Headline numbers and vendor lists now match across abstract, intro, §3 prose, figure caption, conclusion, and §6.1. Re-verified abstract remains under arXiv's 1920-char metadata limit (1866 chars). Compile check: clean, 15 pages, 498 KB. arXiv tarball rebuilt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 46aa700 commit cee1048

2 files changed

Lines changed: 7 additions & 4 deletions

File tree

docs/paper/dcp-arxiv-v0.3.1.tar.gz

21 Bytes
Binary file not shown.

docs/paper/main.tex

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -148,10 +148,12 @@ \section{Introduction}
148148
designed from the start for LLM callers.
149149

150150
\paragraph{Empirical headlines.} Two findings up front, both measured
151-
(\S\ref{sec:safety}, \S\ref{sec:impl}): (i) across 660 tool calls
151+
(\S\ref{sec:safety}, \S\ref{sec:impl}): (i) across 675 tool calls
152152
produced by five LLMs across four vendors (DeepSeek\,V3; Alibaba Qwen
153153
2.5-72B and Qwen 3.5-35B-A3B; Zhipu GLM-4-32B; MiniMax M2.5) in
154-
response to six categories of adversarial prompts, DCP rejects
154+
response to six categories of adversarial prompts --- with the
155+
prompt-injection category instantiated from AgentDojo's~\cite{agentdojo}
156+
attack templates --- DCP rejects
155157
100\,\% of capability escalation attempts and 78\,\% of prompt
156158
injection attempts (the latter category instantiated from the seven
157159
attack templates in AgentDojo~\cite{agentdojo}, adapted to the
@@ -519,7 +521,7 @@ \subsection{Safety model}\label{sec:safety}
519521
a well-written OpenAPI service, in a runtime three orders of magnitude
520522
smaller, on hardware OpenAPI cannot reach. The protocols that
521523
\emph{can} reach this hardware --- Raw MCP and IoT-MCP --- sit at
522-
0--6\,\% across the columns that matter (capability, prompt
524+
0--1\,\% across the columns that matter (capability, prompt
523525
injection), and that is the gap the paper actually closes.
524526

525527
\begin{figure}[h]
@@ -836,7 +838,8 @@ \subsection{What this paper does not prove}
836838
We have validated the reference implementation on one MCU (ESP32-WROOM-32)
837839
over one transport (UART), reported its compiled footprint, measured
838840
its end-to-end latency, and run an empirical adversarial-prompt study
839-
against two LLMs (Section~\ref{sec:safety}, Figure~\ref{fig:halluc}).
841+
against five LLMs across four vendors using AgentDojo's attack templates
842+
(Section~\ref{sec:safety}, Figure~\ref{fig:halluc}).
840843
We have \emph{not} established:
841844

842845
\begin{itemize}[leftmargin=*,nosep]

0 commit comments

Comments
 (0)