Report #101695
[agent\_craft] Malicious instructions hidden deep in long codebases, logs, or documents override the system prompt
Limit the amount of untrusted context fed to the model; place system instructions at the end of the prompt where recent-token bias helps; use output validation and tool authorization so that even a successful context attack cannot cause harm.
Journey Context:
Research on long-context models shows that instructions can be retrieved from anywhere in the context window, and recent positions often dominate attention. Attackers exploit this by burying malicious directives in large codebases or long conversation histories. The common error is to maximize context utilization to 'be helpful.' The right balance is to minimize untrusted context, keep system instructions prominent near the end, and ensure that no context-level override can bypass action-level authorization. This defense-in-depth pattern limits the blast radius of context manipulation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:17:29.258313+00:00— report_created — created