About Me
I am currently a Research Fellow at Nanyang Technological University (NTU), working with Prof. Tianwei Zhang. I received my Ph.D. from Huazhong University of Science and Technology (HUST).
Research Interests
I study the security and safety of real-world AI agent systems. My interests span the full stack of agent development and deployment, from models' internal safety behavior to the external controls that govern their actions. I organize this agenda around three directions:
Model Alignment
Building a model's internal alignment, so that acting on human intent comes from its own reasoning and training (e.g., agentic RL, OPD).
Agent Oversight
Enforcing external control over an agent through its harness, overseeing its reasoning and actions (e.g., CoT monitoring, sandboxing).
Red Teaming
Finding where agents fail before attackers do, by adversarially stress-testing real-world systems to surface their failure modes before deployment.
News
Selected Publications
† Corresponding author
When Claws Remember but Do Not Tell: Stealthy Memory Injection in Persistent Personal Agents
arXiv 2026
This paper studies stealth memory injection, where a remote black-box adversary can use a single email payload to make persistent personal agents save poisoned memory while keeping the user-facing response quiet. It introduces WhisperBench, a 108-case full-cycle benchmark, and MemGhost, a one-shot payload generation framework for testing how poisoned memory later steers agent behavior.
VideoSEAL: Mitigating Evidence Misalignment in Agentic Long Video Understanding by Decoupling Answer Authority
International Conference on Machine Learning (ICML 2026)
VideoSEAL asks why long-video agents get more accurate without getting more grounded: a reward-hacking failure in multi-turn agentic RL. Under outcome-only GRPO, training-set accuracy improves while evidence-seeking behavior does not, because credit can flow to answer shortcuts rather than exploration actions. We trace this to two pressures: (1) reward pressure during training, where outcome-only rewards encourage the agent to speculate from insufficient evidence rather than reinforce evidence-seeking actions; and (2) prompt pressure at inference, where longer search traces saturate context and push planners toward speculative commitment instead of verification. The fix decouples an exploring planner from a frozen inspector with answer authority and abstention, enabling search-budget scaling and reducing semantic hallucination from 62.1% to 11.3% on LVBench.
Mind Your HEARTBEAT! Claw Background Execution Inherently Enables Silent Memory Pollution
arXiv 2026
This work shows that persistent personal agents like OpenClaw can suffer unintended memory pollution even without prompt injection: both user-attended foreground tasks and unattended background tasks may absorb ordinary external content into persistent memory. Because user-facing conversations and noisy tool-call results share the same session context, such content can lose provenance, be saved into long-term memory even without clear user awareness, and later steer user-facing behavior.
Secure Transfer Learning: Training Clean Model Against Backdoor in Pre-trained Encoder and Downstream Dataset
IEEE Symposium on Security and Privacy (Oakland'25)
This work studies how to train clean models when both pre-trained models and fine-tuning datasets may contain unknown backdoor poisoning.
Transferable Direct Prompt Injection via Activation-Guided MCMC Sampling
Empirical Methods in Natural Language Processing (EMNLP'25 Main)
This work proposes an activation-guided framework to generate transferable prompt injection attacks against LLMs using gradient-free optimization.
Why Does Little Robustness Help? A Further Step Towards Understanding Adversarial Transferability
IEEE Symposium on Security and Privacy (Oakland'24)
This work investigates why mildly robust models generate more transferable adversarial examples than both naturally trained and highly robust models.
Robust Backdoor Detection for Deep Learning via Topological Evolution Dynamics
IEEE Symposium on Security and Privacy (Oakland'24)
This work proposes a backdoor detection method based on topological evolution dynamics that is effective against both traditional and advanced backdoor attacks.
Improving Generalization of Universal Adversarial Perturbation via Dynamic Maximin Optimization
AAAI 2025
This work proposes a dynamic maximin optimization framework to improve the generalization of universal adversarial perturbations across models and samples.
...and more. See my Google Scholar for the full list.
Experience
Ant Group, Security Department
Research Intern
Tencent AI Lab
Algorithm Intern