{"id":44134014,"url":"https://github.com/AI45Lab/AgentDoG","last_synced_at":"2026-02-20T21:01:05.423Z","repository":{"id":334834448,"uuid":"1130207504","full_name":"AI45Lab/AgentDoG","owner":"AI45Lab","description":"A Diagnostic Guardrail Framework for AI Agent Safety and Security","archived":false,"fork":false,"pushed_at":"2026-02-04T15:50:49.000Z","size":12542,"stargazers_count":315,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-05T03:26:40.489Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AI45Lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-08T07:20:13.000Z","updated_at":"2026-02-05T01:43:36.000Z","dependencies_parsed_at":null,"dependency_job_id":"9adc3748-2605-4138-8ee2-0d6b551be092","html_url":"https://github.com/AI45Lab/AgentDoG","commit_stats":null,"previous_names":["ai45lab/agentdog"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/AI45Lab/AgentDoG","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AI45Lab%2FAgentDoG","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AI45Lab%2FAgentDoG/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AI45Lab%2FAgentDoG/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AI45Lab%2FAgentDoG/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AI45Lab","download_url":"https://codeload.github.com/AI45Lab/AgentDoG/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AI45Lab%2FAgentDoG/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29664401,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-20T19:49:36.704Z","status":"ssl_error","status_checked_at":"2026-02-20T19:44:05.372Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-08T23:00:17.391Z","updated_at":"2026-02-20T21:01:05.395Z","avatar_url":"https://github.com/AI45Lab.png","language":"Python","funding_links":[],"categories":["Benchmarks \u0026 Evaluations","Agent Safety and Guardrails"],"sub_categories":["AI-Assisted Offensive Security"],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/welcome.png\" width=\"80%\" alt=\"AgentDoG Welcome\"/\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n πŸ€— \u003ca href=\"https://huggingface.co/collections/AI45Research/agentdog\"\u003e\u003cb\u003eHugging Face\u003c/b\u003e\u003c/a\u003e\u0026nbsp\u0026nbsp | \u0026nbsp\u0026nbsp\n πŸ€– \u003ca href=\"https://www.modelscope.cn/collections/Shanghai_AI_Laboratory/AgentDoG\"\u003eModelScope\u003c/a\u003e\u0026nbsp\u0026nbsp | \u0026nbsp\u0026nbsp\n πŸ“„ \u003ca href=\"https://arxiv.org/pdf/2601.18491\"\u003eTechnical Report\u003c/a\u003e\u0026nbsp\u0026nbsp | \u0026nbsp\u0026nbsp\n 🌐 \u003ca href=\"https://ai45lab.github.io/AgentDoG/\"\u003eProject Page\u003c/a\u003e\u0026nbsp\u0026nbsp | \u0026nbsp\u0026nbsp\n πŸ“˜ \u003ca href=\"https://example.com/AgentDoG-docs\"\u003eDocumentation\u003c/a\u003e\n\u003c/p\u003e\n\nVisit our Hugging Face or ModelScope organization (click links above), search checkpoints with names starting with `AgentDoG-`, and you will find all you need! Enjoy!\n\n# AgentDoG\n\n\n## Introduction\n\n**AgentDoG** is a risk-aware evaluation and guarding framework for autonomous agents. It focuses on *trajectory-level risk assessment*, aiming to determine whether an agent’s execution trajectory contains safety risks under diverse application scenarios. Unlike single-step content moderation or final-output filtering, AgentDoG analyzes the full execution trace of tool-using agents to detect risks that emerge mid-trajectory.\n\n- 🧭 **Trajectory-Level Monitoring:** evaluates multi-step agent executions spanning observations, reasoning, and actions.\n- 🧩 **Taxonomy-Guided Diagnosis:** provides fine-grained risk labels (risk source, failure mode, and real-world harm) to explain why unsafe behavior occurs. More crucially, AgentDoG diagnoses the root cause of a specific action, tracing it to specific planning steps or tool selections.\n- πŸ›‘οΈ **Flexible Use Cases:** can serve as a benchmark, a risk classifier for trajectories, or a guard module in agent systems.\n- πŸ₯‡ **State-of-the-Art Performance:** Outperforms existing approaches on R-Judge, ASSE-Safety, and ATBench.\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/binary_performance.png\" width=\"95%\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/fined_performance.png\" width=\"95%\"\u003e\n\u003c/p\u003e\n\n---\n\n## Basic Information\n\n| Name | Parameters | BaseModel | Download |\n|------|------------|-----------|----------|\n| AgentDoG-Qwen3-4B | 4B | Qwen3-4B-Instruct-2507 | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-Qwen3-4B) |\n| AgentDoG-Qwen2.5-7B | 7B | Qwen2.5-7B-Instruct | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-Qwen2.5-7B) |\n| AgentDoG-Llama3.1-8B | 8B | Llama3.1-8B-Instruct | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-Llama3.1-8B) |\n| AgentDoG-FG-Qwen3-4B | 4B | Qwen3-4B-Instruct-2507 | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-FG-Qwen3-4B) |\n| AgentDoG-FG-Qwen2.5-7B | 7B | Qwen2.5-7B-Instruct | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-FG-Qwen2.5-7B) |\n| AgentDoG-FG-Llama3.1-8B | 8B | Llama3.1-8B-Instruct | πŸ€— [Hugging Face](https://huggingface.co/AI45Research/AgentDoG-FG-Llama3.1-8B) |\n\nFor more details, please refer to [Technical Report](https://arxiv.org/pdf/2601.18491).\n\n---\n\n## πŸ“š Dataset: ATBench\n\nWe release **ATBench (Agent Trajectory Safety and Security Benchmark)** for trajectory-level safety evaluation and fine-grained risk diagnosis.\n\n- **Download**: πŸ€— [Hugging Face Datasets](https://huggingface.co/datasets/AI45Research/ATBench)\n- **Scale**: 500 trajectories (250 safe / 250 unsafe), ~8.97 turns per trajectory (~4486 turn interactions)\n- **Tools**: 1575 unique tools appearing in trajectories; an independent unseen-tools library with 2292 tool definitions (no overlap with training tools)\n- **Labels**: binary `safe`/`unsafe`; unsafe trajectories additionally include fine-grained labels (Risk Source, Failure Mode, Real-World Harm)\n\n---\n\n## ✨ Safety Taxonomy\nWe adopt a unified, three-dimensional safety taxonomy for agentic systems. It organizes risks along three orthogonal axes, answering: why a risk arises (risk source), how it manifests in behavior (failure mode), and what harm it causes (real-world harm).\n\n* **Risk Source**: where the threat originates in the agent loop, e.g., user inputs, environmental observations,\n external tools/APIs, or the agent's internal reasoning.\n* **Failure Mode**: how the unsafe behavior is realized, such as flawed planning, unsafe tool usage,\n instruction-priority confusion, or unsafe content generation.\n* **Real-World Harm**: the real-world impact, including privacy leakage, financial loss, physical harm,\n security compromise, or broader societal/psychological harms.\n\nIn the current release, the taxonomy includes 8 risk-source categories, 14 failure modes, and 10 real-world harm categories, and is used for fine-grained labeling during training and evaluation.\n\n---\n\n## 🧠 Methodology\n\n### Task Definition\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/agentdog_prompt_coarsegrained.png\" width=\"49%\" alt=\"Trajectory-level safety evaluation prompt\"/\u003e\n \u003cimg src=\"figures/agentdog_prompt_finegrained.png\" width=\"49%\" alt=\"Fine-grained risk diagnosis prompt\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Example task instructions for the two AgentDoG classification tasks (trajectory-level evaluation and fine-grained diagnosis).\u003c/em\u003e\u003c/p\u003e\n\nPrior works (e.g., LlamaGuard, Qwen3Guard) formulate safety moderation as classifying whether the **final output** in a multi-turn chat is safe. In contrast, **AgentDoG** defines a different task: **diagnosing an entire agent trajectory** to determine whether the agent exhibits any unsafe behavior at **any point** during execution.\n\nConcretely, we consider two tasks:\n\n- **Trajectory-level safety evaluation (binary).** Given an agent trajectory (a sequence of steps, each step containing an action and an observation), predict `safe`/`unsafe`. A trajectory is labeled `unsafe` if **any** step exhibits unsafe behavior; otherwise it is `safe`.\n- **Fine-grained risk diagnosis.** Given an `unsafe` trajectory, additionally predict the tuple (**Risk Source**, **Failure Mode**, **Real-World Harm**).\n\n**Prompting.** Trajectory-level evaluation uses (i) task definition, (ii) agent trajectory, and (iii) output format. Fine-grained diagnosis additionally includes the safety taxonomy for reference and asks the model to output the three labels line by line.\n\n| Task | Prompt Components |\n|------|-------------------|\n| **Trajectory-level safety evaluation** | Task Definition + Agent Trajectory + Output Format |\n| **Fine-grained risk diagnosis** | Task Definition + Safety Taxonomy + Agent Trajectory + Output Format |\n\n### Data Synthesis and Collection\n\nWe use a **taxonomy-guided** synthesis pipeline to generate realistic, multi-step agent trajectories. Each trajectory is conditioned on a sampled risk tuple (risk source, failure mode, real-world harm), then expanded into a coherent tool-augmented execution and filtered by quality checks.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/data_synthesis_main.png\" width=\"95%\" alt=\"Data Synthesis Pipeline\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Three-stage pipeline for multi-step agent safety trajectory synthesis.\u003c/em\u003e\u003c/p\u003e\n\nTo reflect realistic agent tool use, our tool library is orders of magnitude larger than prior benchmarks. For example, it is about 86x, 55x, and 41x larger than R-Judge, ASSE-Safety, and ASSE-Security, respectively.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/tool_comparison.png\" width=\"90%\" alt=\"Tool library size comparison\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Tool library size compared to existing agent safety benchmarks.\u003c/em\u003e\u003c/p\u003e\n\nWe also track the coverage of the three taxonomy dimensions (risk source, failure mode, and harm type) to ensure balanced and diverse risk distributions in our synthesized data.\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/distribution_comparison.png\" width=\"90%\" alt=\"Taxonomy distribution comparison\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Distribution over risk source, failure mode, and harm type categories.\u003c/em\u003e\u003c/p\u003e\n\n### Training\n\nOur guard models are trained with standard **supervised fine-tuning (SFT)** on trajectory demonstrations. Given a training set $\\mathcal{D}_{\\mathrm{train}}=\\lbrace(x_i, y_i)\\rbrace _{i=1}^n$, where $x_i$ is an agent trajectory and $y_i$ is the target output (binary `safe`/`unsafe`, and optionally fine-grained labels), we minimize the negative log-likelihood:\n\n$$\\mathcal{L}=-\\sum_{(x_i,y_i)\\in\\mathcal{D}_{\\text{train}}}\\log p_{\\theta}(y_i\\mid x_i).$$\n\nWe fine-tuned multiple base models: **Qwen3-4B-Instruct-2507**, **Qwen2.5-7B-Instruct**, and **Llama3.1-8B-Instruct**.\n\n---\n\n## πŸ“Š Performance Highlights\n\n* Evaluated on **R-Judge**, **ASSE-Safety**, and **ATBench**\n* Outperforms step-level baselines in detecting:\n\n * Long-horizon instruction hijacking\n * Tool misuse after benign prefixes\n* Strong generalization across:\n\n * Different agent frameworks\n * Different LLM backbones\n* Fine-grained label accuracy on ATBench (best of our FG models): Risk Source 82.0%, Failure Mode 32.4%, Harm Type 59.2%\n\nAccuracy comparison (ours + baselines):\n\n| Model | Type | R-Judge | ASSE-Safety | ATBench |\n| ----------------------------- | ------------- | ------- | ----------- | ------ |\n| GPT-5.2 | General | 90.8 | 77.4 | 90.0 |\n| Gemini-3-Flash | General | 95.2 | 75.9 | 75.6 |\n| Gemini-3-Pro | General | 94.3 | 78.5 | 87.2 |\n| QwQ-32B | General | 89.5 | 68.2 | 63.0 |\n| Qwen3-235B-A22B-Instruct | General | 85.1 | 77.6 | 84.6 |\n| LlamaGuard3-8B | Guard | 61.2 | 54.5 | 53.3 |\n| LlamaGuard4-12B | Guard | 63.8 | 56.3 | 58.1 |\n| Qwen3-Guard | Guard | 40.6 | 48.2 | 55.3 |\n| ShieldAgent | Guard | 81.0 | 79.6 | 76.0 |\n| **AgentDoG-4B (Ours)** | Guard | 91.8 | 80.4 | 92.8 |\n| **AgentDoG-7B (Ours)** | Guard | 91.7 | 79.8 | 87.4 |\n| **AgentDoG-8B (Ours)** | Guard | 78.2 | 81.1 | 87.6 |\n\nFine-grained label accuracy on ATBench (unsafe trajectories only):\n\n| Model | Risk Source Acc | Failure Mode Acc | Harm Type Acc |\n| ---------------------------------- | --------------- | ---------------- | ------------- |\n| Gemini-3-Flash | 38.0 | 22.4 | 34.8 |\n| GPT-5.2 | 41.6 | 20.4 | 30.8 |\n| Gemini-3-Pro | 36.8 | 17.6 | 32.0 |\n| Qwen3-235B-A22B-Instruct-2507 | 19.6 | 17.2 | 38.0 |\n| QwQ-32B | 23.2 | 14.4 | 34.8 |\n| **AgentDoG-FG-4B (Ours)** | 82.0 | 32.4 | 58.4 |\n| **AgentDoG-FG-8B (Ours)** | 81.6 | 31.6 | 57.6 |\n| **AgentDoG-FG-7B (Ours)** | 81.2 | 28.8 | 59.2 |\n\n---\n\n## πŸš€ Getting Started\n\n### Deployment (SGLang / vLLM)\n\nFor deployment, you can use `sglang\u003e=0.4.6` or `vllm\u003e=0.10.0` to create an OpenAI-compatible API endpoint:\n\n**SGLang**\n```bash\npython -m sglang.launch_server --model-path AI45Research/AgentDoG-Qwen3-4B --port 30000 --context-length 16384\npython -m sglang.launch_server --model-path AI45Research/AgentDoG-FG-Qwen3-4B --port 30001 --context-length 16384\n```\n\n**vLLM**\n```bash\nvllm serve AI45Research/AgentDoG-Qwen3-4B --port 8000 --max-model-len 16384\nvllm serve AI45Research/AgentDoG-FG-Qwen3-4B --port 8001 --max-model-len 16384\n```\n\n### Examples\n\nRecommended: use prompt templates in `prompts/` and run the example script in `examples/`.\n\n**Binary trajectory moderation**\n```bash\npython examples/run_openai_moderation.py \\\n --base-url http://localhost:8000/v1 \\\n --model AI45Research/AgentDoG-Qwen3-4B \\\n --trajectory examples/trajectory_sample.json \\\n --prompt prompts/trajectory_binary.txt\n```\n\n**Fine-grained risk diagnosis**\n```bash\npython examples/run_openai_moderation.py \\\n --base-url http://localhost:8000/v1 \\\n --model AI45Research/AgentDoG-FG-Qwen3-4B \\\n --trajectory examples/trajectory_sample.json \\\n --prompt prompts/trajectory_finegrained.txt \\\n --taxonomy prompts/taxonomy_finegrained.txt\n```\n\n---\n\n## πŸ” Agentic XAI Attribution\nWe also introduce a novel hierarchical framework for Agentic Attribution, designed to unveil the internal drivers behind agent actions beyond simple failure localization. By decomposing interaction trajectories into pivotal components and fine-grained textual evidence, our approach explains why an agent makes specific decisions regardless of the outcome. This framework enhances the transparency and accountability of autonomous systems by identifying key factors such as memory biases and tool outputs.\n### Case Study\nTo evaluate the effectiveness of the proposed agentic attribution framework, we conducted several case studies across diverse scenarios. The figure illustrates how our framework localizes decision drivers across four representative cases. The highlighted regions denote the historical components and fine-grained sentences identified by our framework as the primary decision drivers.\n\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/xai_attribution_agent_dog.png\" width=\"95%\" alt=\"xai attribution agent dog\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Illustration of attribution results across two representative scenarios.\u003c/em\u003e\u003c/p\u003e\n\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/xai_attribution_comparison.png\" width=\"70%\" alt=\"xai attribution comparison\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Comparative attribution results between AgentDoG and Basemodel.\u003c/em\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"figures/attribution_marker_v2.gif\" width=\"90%\" alt=\"attribution marker v2\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cem\u003eFigure: Demo of dynamic attribution.\u003c/em\u003e\u003c/p\u003e\n\n### Quick Start for Agentic Attribution\n\nYou can run the analysis in three steps:\n\n#### Step 1: Trajectory-Level Attribution\nAnalyze the contribution of each conversation step.\n```bash\npython component_attri.py \\\n --model_id \"your_model_path\" \\\n --data_dir ./samples \\\n --output_dir ./results\n```\n\n#### Step 2: Sentence-Level Attribution\nPerform fine-grained analysis on the top-K most influential steps.\n```bash\npython sentence_attri.py \\\n --model_id \"your_model_path\" \\\n --traj_file ./samples/xx.json \\\n --attr_file ./results/xx_attr_trajectory.json \\\n --output_file ./results/xx_attr_sentence.json \\\n --top_k 3\n```\n\n#### Step 3: Generate Visualization\nCreate an interactive HTML heatmap.\n```bash\npython case_plot_html.py \\\n --original_traj_file ./samples/xx.json \\\n --traj_attr_file ./results/xx_attr_trajectory.json \\\n --sent_attr_file ./results/xx_attr_sentence.json \\\n --output_file ./results/xx_visualization.html\n```\n\n##### One-Click Execution\nTo run the complete pipeline automatically, configure and run the shell script:\n```bash\nbash run_all_pipeline.sh\n```\n\n\n## πŸ“ Repository Structure\n\n```text\nAgentDoG/\nβ”œβ”€β”€ README.md\nβ”œβ”€β”€ figures/\nβ”œβ”€β”€ prompts/\nβ”‚ β”œβ”€β”€ trajectory_binary.txt\nβ”‚ β”œβ”€β”€ trajectory_finegrained.txt\nβ”‚ └── taxonomy_finegrained.txt\nβ”œβ”€β”€ examples/\nβ”‚ β”œβ”€β”€ run_openai_moderation.py\nβ”‚ └── trajectory_sample.json\nβ”œβ”€β”€ AgenticXAI\nβ”‚ β”œβ”€β”€ case_plot_html.py\nβ”‚ β”œβ”€β”€ component_attri.py\nβ”‚ β”œβ”€β”€ README.md\nβ”‚ β”œβ”€β”€ run_all_pipeline.sh\nβ”‚ β”œβ”€β”€ samples\nβ”‚ β”‚ β”œβ”€β”€ finance.json\nβ”‚ β”‚ β”œβ”€β”€ resume.json\nβ”‚ β”‚ └── transaction.json\nβ”‚ └── sentence_attri.py\n```\n\n---\n\n## πŸ› οΈ Customization\n\n* **Edit prompt templates**: `prompts/trajectory_binary.txt`, `prompts/trajectory_finegrained.txt`\n* **Update taxonomy labels**: `prompts/taxonomy_finegrained.txt`\n* **Change runtime integration**: `examples/run_openai_moderation.py`\n\n---\n\n## πŸ“œ License\n\nThis project is released under the **Apache 2.0 License**.\n\n---\n\n## πŸ“– Citation\n\nIf you use AgentDoG in your research, please cite:\n\n```bibtex\n@misc{liu2026agentdogdiagnosticguardrailframework,\n title={AgentDoG: A Diagnostic Guardrail Framework for AI Agent Safety and Security}, \n author={Dongrui Liu and Qihan Ren and Chen Qian and Shuai Shao and Yuejin Xie and Yu Li and Zhonghao Yang and Haoyu Luo and Peng Wang and Qingyu Liu and Binxin Hu and Ling Tang and Jilin Mei and Dadi Guo and Leitao Yuan and Junyao Yang and Guanxu Chen and Qihao Lin and Yi Yu and Bo Zhang and Jiaxuan Guo and Jie Zhang and Wenqi Shao and Huiqi Deng and Zhiheng Xi and Wenjie Wang and Wenxuan Wang and Wen Shen and Zhikai Chen and Haoyu Xie and Jialing Tao and Juntao Dai and Jiaming Ji and Zhongjie Ba and Linfeng Zhang and Yong Liu and Quanshi Zhang and Lei Zhu and Zhihua Wei and Hui Xue and Chaochao Lu and Jing Shao and Xia Hu},\n year={2026},\n journal={arXiv preprint arXiv:2601.18491} \n}\n\n@misc{qian2026behind,\n title={The Why Behind the Action: Unveiling Internal Drivers via Agentic Attribution},\n author={Chen Qian and Peng Wang and Dongrui Liu and Junyao Yang and Dadi Guo and Ling Tang and Jilin Mei and Qihan Ren and Shuai Shao and Yong Liu and Jie Fu and Jing Shao and Xia Hu},\n year={2026},\n journal={arXiv preprint arXiv:2601.15075}\n}\n```\n\n---\n\n## 🀝 Acknowledgements\n\nThis project builds upon prior work in agent safety, trajectory evaluation, and risk-aware AI systems.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAI45Lab%2FAgentDoG","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAI45Lab%2FAgentDoG","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAI45Lab%2FAgentDoG/lists"}