Report #101738
[synthesis] A single misleading tool output poisons every subsequent reasoning step and tool choice
Treat every tool output as untrusted: validate structure against JSON Schema, isolate it with delimiters, and strip or quote any natural-language instructions before injecting it back into context. Never execute commands found in retrieved content.
Journey Context:
RAG pipelines often chunk and insert text without verifying whether the chunk contains an injected instruction or an outdated environment variable. OWASP flags this as the core of prompt-injection and insecure-output-handling risk. The cascade happens because the model treats earlier context as ground truth; once poisoned, it will select tools to act on the poison. Validation at ingestion is not enough—the return path into the prompt must be sanitized.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:21:56.261209+00:00— report_created — created