Glossary/

Token Bombing in AI Agents

Token bombing occurs when an AI agent enters a runaway API loop, consuming excessive tokens and causing unexpected cost explosions. Unlike simple infinite loops, token bombing specifically refers to the financial impact — each iteration accumulates LLM API charges that can reach thousands of dollars in minutes.

CRITICAL SeverityLLM04: Model Denial of Service

Unbounded Agent Loop

Vulnerable
python
# Each iteration calls the LLM - no cost ceiling
while not task.is_complete():
    response = llm.complete(task.prompt)  # $0.03/call
    task.update(response)
    # No max iterations, no token budget
    # 10,000 iterations = $300+
Secure
python
# Bounded with token budget
MAX_ITERATIONS = 25
TOKEN_BUDGET = 50_000
tokens_used = 0

for i in range(MAX_ITERATIONS):
    response = llm.complete(task.prompt)
    tokens_used += response.usage.total_tokens
    if tokens_used > TOKEN_BUDGET:
        break
    task.update(response)
    if task.is_complete():
        break

Frequently Asked Questions

What is token bombing in AI agents?

Token bombing is when an AI agent makes excessive LLM API calls in a loop, consuming thousands of tokens per iteration. The cost compounds with each cycle — a loop running at 1,000 tokens/iteration for 1,000 iterations costs roughly $10-100 depending on the model, and can escalate much further.

How is token bombing different from an infinite loop?

All token bombing involves loops, but not all infinite loops are token bombing. Token bombing specifically refers to the cost impact — loops that accumulate LLM API charges. A CPU-only infinite loop wastes compute but does not generate API costs.

How do you prevent token bombing?

Set max_iterations and max_execution_time on agent executors, implement token budget limits, add cost monitoring alerts, and use static analysis to detect unbounded loops before deployment.

How Inkog Detects This

Inkog identifies LoopNodes in the IR graph that contain LLM call nodes without deterministic termination guards. It flags patterns where loop exit depends on LLM output (non-deterministic) or where no iteration limit is set.

bash
npx -y @inkog-io/cli scan .

Related Terms

Infinite LoopsContext Window ExhaustionAgent Rate Limiting

Detect Token Bombing Patterns

Scan your AI agents for vulnerabilities. Free for developers.

Start Free Scan