Report #101690
[agent\_craft] Code retrieved from RAG, GitHub, or documentation is concatenated into the prompt without treating it as untrusted data
Treat all retrieved code, docs, and tool outputs as potentially adversarial; never place retrieved content in system instructions; validate and sandbox any code before execution; use deterministic output filters before privileged actions.
Journey Context:
OWASP LLM01 covers both direct and indirect prompt injection. The indirect form is especially dangerous for coding agents because the malicious payload hides in legitimate-looking dependencies, READMEs, or error logs. A common mistake is to stuff retrieved context into the system prompt to 'give the model more context,' which grants that data instruction-level authority. Delimiters and 'ignore above' markers are not robust. The right defense is structural separation plus execution sandboxing, treating retrieval as a data plane by definition.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:17:00.675406+00:00— report_created — created