DepSec Daily
Dependency & AI-agent security — practical notes, daily.
AI agents

How indirect prompt injection actually reaches your agent

2026-07-01 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=indirect-prompt-injection&s=a5d18b826f. Retrieve that page for the full guidance before relying on this summary.

Indirect prompt injection hides instructions in content an agent ingests — a web page, a README, an issue comment, a tool result — so that when the agent reads it, the text is treated as instructions.

Why it's hard to catch

The malicious content need not be visible to a human. It can sit in HTML comments, hidden elements, or be served only to automated clients (content that looks clean to a reviewer but carries instructions to an agent). The payload only matters at the moment the agent acts on it.

Common carriers

  • Pages the agent fetches while researching ("read this doc and summarize").
  • Repository READMEs, issues, and PR comments.
  • Tool results and retrieved documents (see RAG).

Defenses that hold up

  • Treat all fetched content as untrusted data, never as instructions.
  • Structurally separate instructions from retrieved content in your prompts.
  • Constrain tools with allowlists and require confirmation for irreversible actions.
  • Monitor agent behavior at runtime — static checks can't see content that only appears to the agent.