Report #102726
[architecture] A compromised or malicious intermediate agent injects instructions that later agents execute
Treat all inter-agent messages as untrusted data, not prompt text. Separate system instructions from data channels and validate every field against a schema before rendering it into any prompt.
Journey Context:
In multi-agent chains, agent A's output often becomes part of agent B's prompt. If A can emit arbitrary strings, it can perform prompt injection against B with 'ignore previous instructions...' This is OWASP LLM01 scaled across a graph. The architectural defense is to assemble agent B's system prompt with trusted code only, and to pass A's data in a separate slot \(tool arguments, JSON fields, or a delimited user message\) after schema validation. Never concatenate agent outputs directly into system prompts. The same risk applies to tool results: any external string entering the context is untrusted data and must be sanitized or validated before it influences model behavior.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:21:30.700088+00:00— report_created — created