Report #103290
[gotcha] Indirect prompt injection: attacker-controlled content retrieved by your LLM \(emails, web pages, documents, RAG chunks\) is treated as instructions
Architecturally separate untrusted data from instructions: use structured role messages, prompt partitioning/spotlighting, least-privilege tools, and never let retrieved content rewrite system goals. Validate outputs deterministically before acting.
Journey Context:
Developers often assume a strong system prompt or 'ignore previous instructions' wording protects them, but LLMs have no hard boundary between data and instructions. Filtering and RAG grounding do not eliminate the risk because the model still reads the injected text. The fix is not better prompting but system-level separation, privilege minimization, and deterministic enforcement of allowed actions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T05:20:23.832246+00:00— report_created — created