规模化LLM智能体安全测试:从风险发现到基于证据的验证
Safety Testing LLM Agents at Scale: From Risk Discovery to Evidence-Grounded Verification
July 4, 2026
作者: Yunhao Feng, Ruixiao Lin, Ming Wen, Qinqin He, Yanming Guo, Yifan Ding, Yutao Wu, Jialuo Chen, Zhuoer Xu, Xiaohu Du, Jianan Ma, Zixing Chen, Xingjun Ma, Yunhao Chen, Xinhao Deng
cs.AI
摘要
大语言模型代理(LLM agents)越来越多地通过外部工具执行自主行动,导致复杂且不断演变的安全风险。然而,现有的安全测试针对专家设计的安全违规行为,其相应结果由硬编码规则评估,这使得随着代理的进化,扩展测试成本高昂。为此,我们提出了Vera,一个端到端的自动化安全测试框架,通过一个三阶段的自增强流程,将软件工程测试原则实例化到非确定性代理上。首先,文献驱动的探索持续发现并将新兴风险结构化为安全风险、攻击方法和工具执行环境的分类体系。其次,跨分类维度的组合组合生成可执行的安全用例,每个用例指定具体的安全目标、编程构建的初始状态,以及基于可观测工件的确定性验证谓词。第三,自适应执行在隔离沙箱中运行异构代理,其中控制代理基于运行时观察引导多轮交互,而基于证据的验证器则从环境状态和工具调用证据(而非模型自我报告)判断结果。我们在四个生产级代理框架(OpenClaw、Hermes、Codex、Claude Code)上评估了Vera,揭示了显著的安全弱点,在多渠道攻击下平均攻击成功率高达93.9%;我们还发布了Vera-Bench,包含1600个可执行的安全用例,涵盖三个执行环境下的124个风险类别。这些结果表明,模块化、可执行的测试基础设施对于大规模、严格且可维护地评估快速演变的自主系统安全性至关重要。代码已在 https://github.com/Yunhao-Feng/Vera 公开。
English
LLM agents increasingly perform autonomous actions through external tools, leading to complex and evolving safety risks. However, existing safety testing targets expert-designed safety violations, and the corresponding outcomes are evaluated by hard-coded rules, making them costly to extend as agents evolve. To this end, we present Vera, an end-to-end automated safety testing framework that instantiates software engineering testing principles for non-deterministic agents through a three-stage, self-reinforcing pipeline. First, a literature-driven exploration continuously discovers and structures emerging risks into taxonomies of safety risks, attack methods, and tool execution environments. Second, combinatorial composition across taxonomy dimensions produces executable safety cases, each specifying a concrete safety goal, a programmatically constructed initial state, and a deterministic verification predicate grounded in observable artifacts. Third, adaptive execution runs heterogeneous agents in isolated sandboxes where a control agent steers multi-turn interaction based on runtime observations, while evidence-grounded verifiers judge outcomes from environment state and tool-call evidence rather than model self-report. We evaluate Vera on four production agent frameworks (OpenClaw, Hermes, Codex, Claude Code), revealing substantial safety weaknesses, with average attack success rates reaching 93.9\% under multi-channel attacks; we also release Vera-Bench, comprising 1600 executable safety cases spanning 124 risk categories across three execution settings. These results indicate that modular, executable testing infrastructure is essential for rigorous and maintainable safety evaluation of rapidly evolving agentic systems at scale. The code is publicly available at https://github.com/Yunhao-Feng/Vera.