Report #101820
[synthesis] Adversarial or corrupted content from one agent's tool output hijacks downstream agents
Treat all tool outputs and inter-agent messages as untrusted content. Sanitize before inclusion in context, enforce instruction hierarchy, and isolate privileged system prompts from user- or tool-supplied text.
Journey Context:
Greshake et al. demonstrated indirect prompt injection in LLM-integrated applications. The systematic survey of security threats in LLM-based agents shows that malicious outputs propagate through downstream dependencies across multiturn delegations. OpenAI's instruction hierarchy paper formalizes privilege boundaries. No single source combines the attack vector, the multi-agent propagation path, and the architectural defense; the synthesis is that every inter-agent message and tool output is a trust boundary. Concatenating tool output directly into the next agent's prompt treats data as instructions by default. The common mistake is assuming a message from another agent is safe because it is internal. The right call is content isolation and privilege separation because agents cannot distinguish instructions from data on their own.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:30:13.800285+00:00— report_created — created