{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T22:20:46Z","timestamp":1759962046080,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":43,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,28]]},"DOI":"10.1145\/3696410.3714755","type":"proceedings-article","created":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T22:47:11Z","timestamp":1745362031000},"page":"3831-3839","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Understanding and Detecting File Knowledge Leakage in GPT App Ecosystem"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4855-1912","authenticated-orcid":false,"given":"Chuan","family":"Yan","sequence":"first","affiliation":[{"name":"University of Queensland, Brisbane, QLD, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-1414-8523","authenticated-orcid":false,"given":"Bowei","family":"Guan","sequence":"additional","affiliation":[{"name":"University of Queensland, Brisbane, QLD, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-4186-5863","authenticated-orcid":false,"given":"Yazhi","family":"Li","sequence":"additional","affiliation":[{"name":"University of Queensland, Brisbane, QLD, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1039-2151","authenticated-orcid":false,"given":"Mark Huasong","family":"Meng","sequence":"additional","affiliation":[{"name":"Technical University of Munich, Munich, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7090-1493","authenticated-orcid":false,"given":"Liuhuo","family":"Wan","sequence":"additional","affiliation":[{"name":"University of Queensland, Brisbane, QLD, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6390-9890","authenticated-orcid":false,"given":"Guangdong","family":"Bai","sequence":"additional","affiliation":[{"name":"University of Queensland, Brisbane, QLD, Australia"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"doi-asserted-by":"publisher","unstructured":"2025. Understanding and Detecting File Knowledge Leakage in GPT App Ecosystem (GPTs-Filtor Source Code). https:\/\/doi.org\/10.5281\/zenodo.14824017","key":"e_1_3_2_1_1_1","DOI":"10.5281\/zenodo.14824017"},{"key":"e_1_3_2_1_2_1","volume-title":"Automatic Pseudo-Harmful Prompt Generation for Evaluating False Refusals in Large Language Models. In First Conference on Language Modeling. https:\/\/openreview.net\/forum?id=ljFgX6A8NL","author":"An Bang","year":"2024","unstructured":"Bang An, Sicheng Zhu, Ruiyi Zhang, Michael-Andrei Panaitescu-Liess, Yuancheng Xu, and Furong Huang. 2024. Automatic Pseudo-Harmful Prompt Generation for Evaluating False Refusals in Large Language Models. In First Conference on Language Modeling. https:\/\/openreview.net\/forum?id=ljFgX6A8NL"},{"unstructured":"Apple. 2024. Introduction to AppleScript Language Guide. https:\/\/developer.apple.com\/library\/archive\/documentation\/AppleScript\/Conceptual\/AppleScriptLangGuide\/introduction\/ASLR_intro.html","key":"e_1_3_2_1_3_1"},{"doi-asserted-by":"crossref","unstructured":"Hannah Bast Bj\u00f6rn Buchhold Elmar Haussmann et al. 2016. Semantic search on text and knowledge bases. Foundations and Trends\u00ae in Information Retrieval 10 2--3 (2016) 119--271.","key":"e_1_3_2_1_4_1","DOI":"10.1561\/1500000032"},{"doi-asserted-by":"crossref","unstructured":"Roman Capellini Frank Atienza and Melanie Sconfield. 2024. Knowledge Accuracy and Reducing Hallucinations in LLMs via Dynamic Domain Knowledge Injection. (2024).","key":"e_1_3_2_1_5_1","DOI":"10.21203\/rs.3.rs-4540506\/v1"},{"key":"e_1_3_2_1_6_1","volume-title":"Knowledge solver: Teaching llms to search for domain knowledge from knowledge graphs. arXiv preprint arXiv:2309.03118","author":"Feng Chao","year":"2023","unstructured":"Chao Feng, Xinyu Zhang, and Zichu Fei. 2023. Knowledge solver: Teaching llms to search for domain knowledge from knowledge graphs. arXiv preprint arXiv:2309.03118 (2023)."},{"unstructured":"Torbj\u00f8rn Flensted. 2024. SEO.AI website. https:\/\/seo.ai\/blog\/gpts-statistics","key":"e_1_3_2_1_7_1"},{"unstructured":"Google. 2024. Puppeteer website. https:\/\/pptr.dev\/","key":"e_1_3_2_1_8_1"},{"unstructured":"GPTsApp.io. 2024. GPTsApp.io website. https:\/\/gptsapp.io\/","key":"e_1_3_2_1_9_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_10_1","DOI":"10.1145\/3605764.3623985"},{"key":"e_1_3_2_1_11_1","volume-title":"On the (In) Security of LLM App Stores. arXiv preprint arXiv:2407.08422","author":"Hou Xinyi","year":"2024","unstructured":"Xinyi Hou, Yanjie Zhao, and Haoyu Wang. 2024. On the (In) Security of LLM App Stores. arXiv preprint arXiv:2407.08422 (2024)."},{"unstructured":"Jason Huggins. 2024. Selenium website. https:\/\/www.selenium.dev\/","key":"e_1_3_2_1_12_1"},{"key":"e_1_3_2_1_13_1","volume-title":"LLM Platform Security: Applying a Systematic Evaluation Framework to OpenAI's ChatGPT Plugins. arXiv preprint arXiv:2309.10254","author":"Iqbal Umar","year":"2023","unstructured":"Umar Iqbal, Tadayoshi Kohno, and Franziska Roesner. 2023. LLM Platform Security: Applying a Systematic Evaluation Framework to OpenAI's ChatGPT Plugins. arXiv preprint arXiv:2309.10254 (2023)."},{"unstructured":"AI & Airyland & Joanne. 2023. GPTs Hunter website. https:\/\/www.gptshunter.com\/","key":"e_1_3_2_1_14_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_15_1","DOI":"10.1109\/ICHMS59971.2024.10555871"},{"unstructured":"Yi Liu Gelei Deng Yuekang Li Kailong Wang Zihao Wang Xiaofeng Wang Tianwei Zhang Yepang Liu Haoyu Wang Yan Zheng et al. 2023. Prompt Injection attack against LLM-integrated Applications. arXiv preprint arXiv:2306.05499 (2023).","key":"e_1_3_2_1_16_1"},{"key":"e_1_3_2_1_17_1","volume-title":"33rd USENIX Security Symposium (USENIX Security 24)","author":"Liu Yupei","year":"2024","unstructured":"Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. 2024. Formalizing and benchmarking prompt injection attacks and defenses. In 33rd USENIX Security Symposium (USENIX Security 24). 1831--1847."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_18_1","DOI":"10.1609\/aaai.v35i17.17745"},{"key":"e_1_3_2_1_19_1","volume-title":"Adversarial NLI: A new benchmark for natural language understanding. arXiv preprint arXiv:1910.14599","author":"Nie Yixin","year":"2019","unstructured":"Yixin Nie, Adina Williams, Emily Dinan, Mohit Bansal, Jason Weston, and Douwe Kiela. 2019. Adversarial NLI: A new benchmark for natural language understanding. arXiv preprint arXiv:1910.14599 (2019)."},{"unstructured":"OpenAI. 2023. OpenAI official website. https:\/\/openai.com\/","key":"e_1_3_2_1_20_1"},{"unstructured":"OpenAI. 2024. ChatGPT: Verify that you are human. https:\/\/community.openai.com\/t\/verify-that-you-are-human-stop-it\/857988","key":"e_1_3_2_1_21_1"},{"unstructured":"OpenAI. 2024. DALLE3 website. https:\/\/openai.com\/index\/dall-e-3\/","key":"e_1_3_2_1_22_1"},{"unstructured":"OpenAI. 2024. File formats supported by file knowledge. https:\/\/platform.openai.com\/docs\/assistants\/tools\/file-search","key":"e_1_3_2_1_23_1"},{"unstructured":"OpenAI. 2024. Introducing GPTs. https:\/\/openai.com\/index\/introducing-gpts\/","key":"e_1_3_2_1_24_1"},{"unstructured":"OpenAI. 2024. Introducing the GPT Store. https:\/\/openai.com\/index\/introducingthe-gpt-store\/","key":"e_1_3_2_1_25_1"},{"unstructured":"OpenAI. 2024. Knowledge in GPTs. https:\/\/help.openai.com\/en\/articles\/8843948-knowledge-in-gpts","key":"e_1_3_2_1_26_1"},{"unstructured":"OpenAI. 2024. Understanding the 40 Messages in 3 Hours Limit on Chat-GPT. https:\/\/community.openai.com\/t\/understanding-the-40-messages-in-3-hours-limit-on-chatgpt\/563128","key":"e_1_3_2_1_27_1"},{"key":"e_1_3_2_1_28_1","volume-title":"From prompt injections to sql injection attacks: How protected is your llm-integrated web application? arXiv preprint arXiv:2308.01990","author":"Pedro Rodrigo","year":"2023","unstructured":"Rodrigo Pedro, Daniel Castro, Paulo Carreira, and Nuno Santos. 2023. From prompt injections to sql injection attacks: How protected is your llm-integrated web application? arXiv preprint arXiv:2308.01990 (2023)."},{"key":"e_1_3_2_1_29_1","volume-title":"Llm self defense: By self examination, llms know they are being tricked. arXiv preprint arXiv:2308.07308","author":"Phute Mansi","year":"2023","unstructured":"Mansi Phute, Alec Helbling, Matthew Hull, ShengYun Peng, Sebastian Szyller, Cory Cornelius, and Duen Horng Chau. 2023. Llm self defense: By self examination, llms know they are being tricked. arXiv preprint arXiv:2308.07308 (2023)."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_30_1","DOI":"10.1007\/978-3-031-70879-4_6"},{"key":"e_1_3_2_1_31_1","volume-title":"Optimization-based Prompt Injection Attack to LLM-as-a-Judge. arXiv preprint arXiv:2403.17710","author":"Shi Jiawen","year":"2024","unstructured":"Jiawen Shi, Zenghui Yuan, Yinuo Liu, Yue Huang, Pan Zhou, Lichao Sun, and Neil Zhenqiang Gong. 2024. Optimization-based Prompt Injection Attack to LLM-as-a-Judge. arXiv preprint arXiv:2403.17710 (2024)."},{"unstructured":"Shubham Singh. 2024. ChatGPT Statistics (OCT. 2024) -- 200 Million Active Users. https:\/\/www.demandsage.com\/chatgpt-statistics\/#: :text=ChatGPT%20has%20over%20200%20million%20weekly%20active%20users 92%25%20of%20Fortune%20500%20companies%20are%20using%20ChatGPT.","key":"e_1_3_2_1_32_1"},{"key":"e_1_3_2_1_33_1","volume-title":"Attention is all you need. Advances in neural information processing systems 30","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems 30 (2017)."},{"unstructured":"Karl von Randow. 2024. Charles proxy offical website. https:\/\/www.charlesproxy.com\/","key":"e_1_3_2_1_34_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_35_1","DOI":"10.1145\/3589334.3645721"},{"key":"e_1_3_2_1_36_1","volume-title":"CoreLocker: Neuron-level Usage Control. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 2497--2514","author":"Ma Zhongkui","year":"2024","unstructured":"ZihanWang, Zhongkui Ma, Xinguo Feng, Ruoxi Sun, HuWang, Minhui Xue, and Guangdong Bai. 2024. CoreLocker: Neuron-level Usage Control. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 2497--2514."},{"key":"e_1_3_2_1_37_1","volume-title":"Jailbreaking gpt-4v via self-adversarial attacks with system prompts. arXiv preprint arXiv:2311.09127","author":"Wu Yuanwei","year":"2023","unstructured":"Yuanwei Wu, Xiang Li, Yixin Liu, Pan Zhou, and Lichao Sun. 2023. Jailbreaking gpt-4v via self-adversarial attacks with system prompts. arXiv preprint arXiv:2311.09127 (2023)."},{"key":"e_1_3_2_1_38_1","volume-title":"An LLM can Fool Itself: A Prompt-Based Adversarial Attack. arXiv preprint arXiv:2310.13345","author":"Xu Xilie","year":"2023","unstructured":"Xilie Xu, Keyi Kong, Ning Liu, Lizhen Cui, Di Wang, Jingfeng Zhang, and Mohan Kankanhalli. 2023. An LLM can Fool Itself: A Prompt-Based Adversarial Attack. arXiv preprint arXiv:2310.13345 (2023)."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_39_1","DOI":"10.1145\/3660826"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_40_1","DOI":"10.1145\/3691620.3695510"},{"key":"e_1_3_2_1_41_1","volume-title":"Assessing prompt injection risks in 200 custom gpts. arXiv preprint arXiv:2311.11538","author":"Yu Jiahao","year":"2023","unstructured":"Jiahao Yu, Yuhang Wu, Dong Shu, Mingyu Jin, and Xinyu Xing. 2023. Assessing prompt injection risks in 200 custom gpts. arXiv preprint arXiv:2311.11538 (2023)."},{"key":"e_1_3_2_1_42_1","volume-title":"Knowledgeable preference alignment for llms in domain-specific question answering. arXiv preprint arXiv:2311.06503","author":"Zhang Yichi","year":"2023","unstructured":"Yichi Zhang, Zhuo Chen, Yin Fang, Lei Cheng, Yanxi Lu, Fangming Li, Wen Zhang, and Huajun Chen. 2023. Knowledgeable preference alignment for llms in domain-specific question answering. arXiv preprint arXiv:2311.06503 (2023)."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_43_1","DOI":"10.1007\/s11280-024-01297-w"}],"event":{"sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"],"acronym":"WWW '25","name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia"},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714755","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714755","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:41Z","timestamp":1750295921000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714755"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":43,"alternative-id":["10.1145\/3696410.3714755","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714755","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}