ai

[Paper] Casting a SPELL: Sentence Pairing Exploration for LLM Limitation-breaking

Published: (December 24, 2025 at 10:25 AM EST)
3 min read
Source: arXiv

Source: arXiv - 2512.21236v1

Overview

The paper introduces SPELL, a testing framework that probes how well large language models (LLMs) resist “jailbreak” prompts aimed at generating malicious code. By automatically crafting sophisticated sentence‑pair prompts, the authors show that even state‑of‑the‑art code models can be coaxed into producing harmful scripts, exposing a serious security blind spot for AI‑assisted development tools.

Key Contributions

  • SPELL framework: a systematic, time‑division selection strategy that mixes sentences from a curated knowledge base to create diverse jailbreak prompts.
  • Comprehensive evaluation: attacks tested on three leading code‑generation models (GPT‑4.1, Claude‑3.5, Qwen2.5‑Coder) across eight distinct malicious‑code categories.
  • High success rates: achieved 83.75 % (GPT‑4.1), 19.38 % (Claude‑3.5), and 68.12 % (Qwen2.5‑Coder) in getting the models to output malicious code.
  • Real‑world verification: generated prompts successfully triggered malicious outputs in production AI coding assistants (e.g., Cursor), and detection tools flagged >73 % of those outputs as dangerous.
  • Insightful analysis: identified patterns where LLMs’ security alignment fails, offering concrete data for future safety‑hardening efforts.

Methodology

  1. Knowledge Dataset Construction – The authors assembled a large pool of sentences describing various hacking techniques, exploit payloads, and code‑generation tricks.
  2. Time‑Division Selection – Instead of random sampling, SPELL alternates between two phases:
    • Exploration – picks novel sentence combinations to discover fresh attack vectors.
    • Exploitation – re‑uses previously successful sentence pairs to boost hit‑rate.
  3. Prompt Assembly – Each jailbreak prompt is formed by concatenating two selected sentences (hence “sentence pairing”). The resulting prompt is fed to the target LLM.
  4. Evaluation Pipeline
    • Run the prompt on each code model.
    • Classify the output into one of eight malicious categories (e.g., ransomware, backdoor, data exfiltration).
    • Verify maliciousness with two independent detection tools.
  5. Metrics – Success is measured by (a) the model producing any code in the targeted category, and (b) the detection tools confirming the code as malicious.

Results & Findings

ModelOverall Success RateHighest Category Success
GPT‑4.183.75 %Remote code execution (≈92 %)
Claude‑3.519.38 %Credential‑stealing scripts (≈27 %)
Qwen2.5‑Coder68.12 %Data‑exfiltration utilities (≈74 %)
  • Prompt efficiency – The time‑division strategy reduced the number of required attempts by ~30 % compared with pure random pairing.
  • Cross‑tool consistency – When the same malicious prompts were used in the Cursor IDE, the generated code remained functional and was flagged as dangerous by industry‑standard scanners (e.g., GitHub Advanced Security, Snyk) in >73 % of cases.
  • Model‑specific weaknesses – GPT‑4.1 showed the highest susceptibility, especially when prompts combined “system‑level” and “network‑level” sentence fragments. Claude‑3.5’s lower rate suggests stronger internal guardrails, but it remains vulnerable to well‑crafted pairs.

Practical Implications

  • AI‑assisted IDEs need tighter guardrails – Developers integrating LLM code assistants must treat the model as a potential attack surface; simple keyword filters are insufficient.
  • Security testing pipelines – SPELL can be adopted as a regression test for any new code‑generation model before release, similar to fuzz testing for compilers.
  • Policy & compliance – Organizations deploying LLM‑driven automation should update their risk assessments to include “jailbreak‑induced malicious code” as a threat vector.
  • Tooling for defenders – The sentence‑pairing technique can be repurposed to generate adversarial examples that improve detection models, leading to more robust malicious‑code classifiers.
  • Developer awareness – Even experienced programmers can be tricked into accepting harmful snippets; code review processes must incorporate AI‑output verification steps.

Limitations & Future Work

  • Dataset bias – The knowledge base is manually curated; unseen attack techniques outside this set may behave differently.
  • Model coverage – Only three commercial code models were evaluated; open‑source alternatives and future releases could exhibit distinct behaviors.
  • Detection reliance – Validation depends on existing scanners, which themselves may miss novel payloads.
  • Future directions – The authors plan to expand SPELL with automated knowledge‑base mining (e.g., from security forums), explore multi‑sentence chaining beyond pairs, and integrate reinforcement‑learning‑based defenses that adapt to discovered jailbreak patterns.

Authors

  • Yifan Huang
  • Xiaojun Jia
  • Wenbo Guo
  • Yuqiang Sun
  • Yihao Huang
  • Chong Wang
  • Yang Liu

Paper Information

  • arXiv ID: 2512.21236v1
  • Categories: cs.CR, cs.AI, cs.SE
  • Published: December 24, 2025
  • PDF: Download PDF
Back to Blog

Related posts

Read more »