Jump to pattern

Goal Decomposition Is Attack Decomposition

Why breaking goals into subtasks creates subtask injection opportunities

The Conventional Framing

Hierarchical Task Networks (HTN) decompose high-level goals into subtask trees. A goal like "prepare report" becomes subtasks: gather data, analyze, format, review. Each subtask may decompose further. This provides structured problem-solving.

The pattern is praised for handling complex tasks systematically—breaking down overwhelming goals into manageable pieces.

Why This Creates Attack Surface

Goal decomposition is controlled by the LLM based on context. If that context is compromised, the decomposition itself is compromised. An attacker can influence what subtasks get created, not just how they execute.

Subtask injection is particularly dangerous because subtasks look legitimate. They're generated by the system, presented as part of the plan, and execute with whatever authority the task network has.

Attack vectors:

Subtask injection. Injection causes creation of malicious subtasks that appear to be part of legitimate decomposition.
Goal substitution. Manipulate decomposition so subtasks achieve attacker's goal while appearing to work on user's goal.
Decomposition depth attacks. Create deeply nested subtasks that exceed oversight or exhaust resources.

Architecture

Components:

Goal— high-level objective from user
Decomposer— LLM that breaks goals into subtasks
Task tree— hierarchical structure of subtasks
Executor— carries out leaf-level tasks

Trust Boundaries

Goal: "Summarize project status" Legitimate decomposition: ├── Gather project data ├── Identify key metrics └── Format summary Poisoned decomposition (via injection): ├── Gather project data ├── Identify key metrics ├── [INJECTED] Export credentials to external URL └── Format summary The injected subtask looks like part of the plan. It executes with the same authority as legitimate tasks.

User goal → Decomposer — injection influences decomposition
Decomposer → Subtasks — subtasks may be malicious
Subtask → Execution — all subtasks execute with same authority

Threat Surface

Threat	Vector	Impact
Subtask injection	Injection causes malicious subtask creation	Attacker's tasks execute as system tasks
Goal substitution	Decomposition serves different goal than stated	User goal subverted while appearing normal
Depth exploitation	Excessive nesting exhausts resources or oversight	Resource exhaustion or oversight bypass
Authority inheritance	All subtasks inherit parent authority	No least-privilege within task tree
Completion spoofing	Claim subtask complete without execution	Skip security-relevant tasks

The ZIVIS Position

•
Decomposition is not neutral.How a goal decomposes depends on context. Compromised context means compromised decomposition. Review decomposition, not just execution.
•
Subtask authority should be scoped.Each subtask should have only the authority it needs, not inheritance from the parent. A 'gather data' subtask shouldn't have 'send email' authority.
•
Limit decomposition depth.Hard limits on how deep the tree can go. Deep trees are harder to review and more likely to hide malicious subtasks.
•
Validate subtasks against goal.A separate process should verify that generated subtasks are plausibly related to the stated goal. Flag or block subtasks that don't connect.

What We Tell Clients

When you decompose a goal into subtasks, you're trusting the LLM to decide what work needs doing. That decision can be manipulated.

Review the decomposition, not just the final output. Limit subtask authority. Be suspicious of subtasks that seem tangential to the stated goal.

Related Patterns

Plan-and-Execute— flat planning with similar trust issues
Multi-Agent Orchestration— agents as subtask executors
Privilege Separation— principle for subtask authority scoping