Report #101330
[counterintuitive] Prompt injection is only a risk when a malicious user directly attacks the chatbot.
Treat all external content, including retrieved documents, tool responses, emails, PDFs, and web pages, as untrusted. Separate instructions from data with delimiters, never embed secrets in prompts, and scope tool permissions to least privilege.
Journey Context:
LLMs have no hard boundary between instructions and data. Indirect prompt injection hides attacker instructions in RAG content, tool outputs, or documents that the model later processes. OWASP ranks prompt injection as the \#1 risk for LLM applications because the attack surface includes retrieval, tools, and system prompts, not just the chat input. Defense in depth and privilege minimization matter more than clever prompt wording.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:22:12.036312+00:00— report_created — created