Report #101352
[gotcha] Indirect prompt injection turns the LLM into an outbound exfiltration channel
Block the model from building arbitrary URLs, image markdown, or tool arguments that carry sensitive data. Use deterministic egress allowlists, validate every tool call argument against a schema, and never render LLM output as clickable links without scrubbing.
Journey Context:
Teams scan incoming prompts but forget that a successful injection can instruct the model to encode private context into an image URL or API parameter. Because the application itself issues the request, no credential theft is needed. SSRF and CSP are partial mitigations; the real fix is preventing the model from assembling outbound payloads containing retrieved or conversational data.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:24:58.106567+00:00— report_created — created