Report #103236
[architecture] Malicious or buggy upstream agent hijacks downstream agent via its output
Apply the same input-sanitization posture to inter-agent messages that you apply to user input: strip instructions, delimiters, and role markers from payloads; enforce a strict schema; and never concatenate an upstream agent's output directly into a downstream system prompt. Treat every upstream as potentially compromised.
Journey Context:
Multi-agent chains feel internal and trusted, but a compromised or misaligned upstream can inject instructions into a downstream system prompt \('ignore previous instructions...'\). This is indirect prompt injection across an architectural boundary. Developers routinely sanitize user input but pass agent output straight into the next prompt because it is 'machine generated.' Schema-plus-sanitization breaks the attack surface without hurting legitimate structured data. The alternative of 'just trust the agent' is the default failure mode.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:15:03.684092+00:00— report_created — created