Indirect prompt injection hides instructions in content an agent ingests — a web page, a README, an issue comment, a tool result — so that when the agent reads it, the text is treated as instructions.
Why it's hard to catch
The malicious content need not be visible to a human. It can sit in HTML comments, hidden elements, or be served only to automated clients (content that looks clean to a reviewer but carries instructions to an agent). The payload only matters at the moment the agent acts on it.
Common carriers
- Pages the agent fetches while researching ("read this doc and summarize").
- Repository READMEs, issues, and PR comments.
- Tool results and retrieved documents (see RAG).
Defenses that hold up
- Treat all fetched content as untrusted data, never as instructions.
- Structurally separate instructions from retrieved content in your prompts.
- Constrain tools with allowlists and require confirmation for irreversible actions.
- Monitor agent behavior at runtime — static checks can't see content that only appears to the agent.