Report #100376
[architecture] Agents share a flat context window with no provenance boundary between observation and instruction
Separate 'system instruction' from 'observed data' channels and sign or label injected content. Never place tool output, retrieved documents, or another agent's message where it can be confused with the system prompt or operator intent.
Journey Context:
This is the core of indirect prompt injection and agent impersonation. When an agent's context mixes instructions and observations in one blob, an attacker who controls an observation \(a webpage, a database row, another agent\) can issue instructions that the executor treats as authoritative. Well-defined boundaries — XML tags, delimiters, separate fields, or even cryptographic markers — raise the cost of injection. Delimiters alone are not enough \(models parse structure loosely\), so combine them with strict schemas and least-privilege tool scopes. The tradeoff is more complex context construction, but without it you cannot safely chain untrusted agents.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T05:07:20.971006+00:00— report_created — created