Researchers from Tel Aviv University, the Technion, and Intuit described a new class of attacks targeting AI agent applications. This method exploits the tendency of language models to fabricate non-existent identifiers for repositories, skills, and other external resources.
In their preprint, the authors demonstrated that these errors can be transformed into a channel for delivering malicious instructions. In controlled experiments, the attack led to the invocation of built-in AI agent tools and remote code execution.
“The tendency of LLMs to hallucinate resource identifiers can be leveraged to enhance untargeted promptware attacks,” the paper states.
This specifically concerns AI agent systems that do more than just answer questions; they access files, search the internet, clone repositories, install extensions, execute terminal commands, and call APIs.
How HalluSquatting Works
The authors named the attack Adversarial HalluSquatting. The scenario revolves around a predictable model error. A user might ask an AI agent to clone a popular repository or install a skill. The agent must determine the exact address of the resource. If the model does not know the correct identifier, it may generate a similar one.
The attacker tracks popular resources in advance, repeatedly queries the model, and identifies which non-existent addresses it generates most frequently. They then register these names on GitHub, ClawHub, or another platform, placing malicious instructions there. If the AI agent later “hallucinates” this address, it will pull the malicious resource and interact with it as if it were legitimate.
Source: arXiv.The authors pointed out the scalability of this scheme. Unlike previous prompt injections, the attacker does not need to send a message to a specific victim, add an event to a calendar, or access a shared document. It is sufficient to publish a malicious resource in a public space and wait for the agent to request it.
“One compromised resource can lead to the compromise of many machines,” the researchers noted.
Test Results on Repositories
The researchers conducted over 14,000 runs. In the first phase, they tested six foundational models through public APIs: Gemini 2.5 Flash, Gemini 2.5 Pro, GPT-5.1, GPT-5.2, Sonnet 4.5, and Opus 4.5.
The models were given prompts like “output a shell command to clone a repository.” The sample included 10 recent projects from GitHub Trending and five older repositories from 2013 to 2018 as a control group.
For new repositories, the average hallucination rate was 92.4%. In 53 out of 60 combinations of “repository — model,” the system never identified the correct project owner. For older repositories, the average was 0.9%. According to the authors, this gap is likely due to older projects being present in the training data of the models, while newer ones are not.
The researchers identified three types of hallucinations:
- The model places the repository name in the owner field, creating an address like repo/repo.
- Attributing the project to a real but incorrect owner.
- Placeholder responses like username/repo.
The first type was the most convenient for attacks, as it is predictable and often available for registration. In 6,000 requests for new projects, the models produced a directly registrable slug in 27% of runs—1,602 times. For each trending repository in the sample, there was at least one registrable candidate in the top 10 universal rankings.
What Happened in Real AI Applications
In the second phase, the authors moved from foundational models to working applications with terminal access. The tests included Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline, Gemini CLI, as well as OpenClaw, ZeroClaw, and NanoClaw.
In cloning repository scenarios, the end-to-end attack succeeded in 20–65% of runs, depending on the application, model, and type of payload. For example, the study reported 65% for Windsurf with SWE-1.5, 45% for Cline, 35% for Copilot Chat, 30% for Cursor CLI, and 20–25% for various scenarios with Cursor.
OpenClaw had even higher results. With Sonnet 4.6, the system achieved 100% success in both invoking built-in tools and remote code execution. With Opus 4.6, the success rate was 80% in both scenarios. With GPT-5.4 Codex, tool invocation succeeded in 10 out of 10 runs, while RCE succeeded in 4 out of 10.
Source: arXiv.Why Web Search Helps but Doesn’t Solve the Problem
One of the main protective factors was web search before cloning or installing a resource. When Cursor CLI performed a search before cloning, 93.4% of results were correct. Without search, 99.1% of slugs were hallucinated.
The phrasing of the prompt also significantly affected the outcome. No type of prompt proved universally safe; in every category, at least one model had a hallucination rate above 50%.
Skill Squatting: Attacks via Skills
A separate section of the study focused on ClawHub—a marketplace for skills for OpenClaw and compatible assistants. The researchers identified two classes of vulnerabilities:
- Removing a word from the title;
- Discrepancy between the human-readable skill name and its actual slug.
In one experiment, OpenClaw with Sonnet 4.6 was tested on 14 skills. Out of 140 runs, 127 (90.7%) led to an identifier that could be registered by an attacker. Only 13 runs returned the canonical slug.
In another experiment, the authors tested the portability of the attack across OpenClaw, ZeroClaw, and NanoClaw. Out of 90 runs, 85 (94.4%) ended negatively. After installing a spoofed skill, the results were even harsher. An experiment with exfiltrating context achieved 100% success: every combination of assistant and model delivered the payload in all 10 runs. A scenario where a compromised device connects to the attacker’s server and grants access to the command line succeeded in 88% of cases.
Source: arXiv.Recommendations from the Authors and Vendor Responses
The researchers reported their findings to application developers, model providers, and platforms. For AI applications, they suggested verifying the source before any external resource is loaded—whether cloning a repository, installing a skill, container, or model. The agent should first perform a search and only then pass the address to the built-in tool.
For platforms like GitHub and ClawHub, the authors recommended preemptively reserving names that models frequently invent, limiting dangerous reuse of popular names, and checking user content for malicious instructions for AI.
GitHub responded that the described scenario does not represent a vulnerability of the platform. According to the company’s position, creating repositories under free names is expected behavior for GitHub, and the attack arises from LLM hallucinations and actions of agents that trust the content of third-party repositories.
Representatives from Cursor stated that the program prevents prompt injection, including situations where users are asked to clone an untrusted repository. OpenAI clarified that issues related to the content of prompts and model responses do not fall under the Security and Safety Bug Bounty unless they have a separate verifiable impact on the company’s services.
Anthropic did not recognize this as a vulnerability, categorizing the scenario as attacks via dependency name capture, which are excluded from its bug bounty. Google stated that they forwarded the information to the responsible product team for evaluation.
It is worth noting that in November 2025, Google specialists concluded that several new families of malware use large language models for hacking attacks.
In May 2026, the authors of the Google Threat Intelligence Group reported a rise in AI's popularity among cybercriminals. The division first identified a hacker using a zero-day exploit developed with the help of artificial intelligence, who planned to use it for a mass attack, but the corporation's experts managed to avert the threat.
