The paper, "Agent2Agent Threats in Safety-Critical LLM Assistants: A Human-Centric Taxonomy," explores the emerging security challenges of integrating Large Language Model (LLM)-based agents into vehicles. As these agents interact with external services via protocols like Google’s Agent-to-Agent (A2A), they create "attack surfaces" where malicious payloads can propagate, potentially leading to driver distraction or unauthorized vehicle control.

The authors argue that existing security frameworks (such as OWASP and MAESTRO) are insufficient for safety-critical automotive systems because they often confuse what is being protected (assets) with how it is attacked (attack paths). To bridge this gap, the paper introduces AgentHeLLM (Agent Hazard Exploration for LLM Assistants), a framework built on three primary contributions:

• Separation of Concerns: It formally distinguishes between assets (the "what") and attack paths (the "how").
• Human-Centric Asset Taxonomy: Instead of focusing on technical components like "memory" or "tools," the framework defines assets based on ultimate human values and rights, such as Life and Bodily Health, Mental Well-Being, and Privacy.
• Formal Attack Path Model: This graph-based model differentiates between poison paths (the propagation of malicious data) and trigger paths (the recursive actions required to activate that poison).

Finally, the authors demonstrate the framework's practical use through the AgentHeLLM Attack Path Generator, an open-source tool that automates the discovery of complex, multi-stage threats using a bi-level search strategy. This methodology aims to move automotive AI security from reactive patching to proactive threat anticipation.