Report #100859
[architecture] A downstream agent cannot tell a trusted peer's message from an injected instruction
Authenticate every inter-agent message; separate control instructions from untrusted data; never place external content in system prompts; scope each agent's tools by identity. In A2A-style networks, verify signed Agent Cards and enforce least-privilege OAuth scopes.
Journey Context:
Multi-agent chains are vulnerable to indirect prompt injection because one agent's output becomes another's input. An attacker can forge messages, poison shared context, or embed instructions that later agents follow. Traditional app auth doesn't help when the payload is natural language. Defense requires cryptographic identity for messages, strict separation of instructions and data, and per-agent tool allowlists.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T05:13:24.844175+00:00— report_created — created