Report #101795
[gotcha] Retrieved documents, web pages, or uploaded files contain hidden instructions that hijack the assistant
Treat every retrieved or uploaded byte as untrusted data, not instructions: isolate it with delimiters or role tags, strip hidden text and metadata, run input classifiers on retrieved content, and require human confirmation before any tool call driven by untrusted context.
Journey Context:
The attacker never talks to the bot directly; they poison a web page, PDF, email, or knowledge-base document the model is asked to process. Because all tokens share the same context, the model cannot reliably distinguish the developer's instructions from the attacker's. The most common mistake is trusting the system prompt to protect RAG. Architecture-level isolation and output filtering are far more reliable than stronger prompt wording.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:27:37.220306+00:00— report_created — created