Report #103606
[gotcha] Tool return values are untrusted inputs that feed back into the model's context
Scan and sanitize every tool output before returning it to the LLM. Use structured parsing instead of free-text passthrough, strip markup that resembles instructions, and keep tool outputs out of system-message regions.
Journey Context:
Teams sanitize user prompts but treat tool results as safe because 'the server is trusted.' In practice, web search, file reads, and API responses contain third-party content an attacker can poison. This is indirect prompt injection: the payload rides inside a legitimate tool result and overrides the user's intent. Defense in depth means output filtering plus least-privilege tool scopes, not just input validation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:41:23.779192+00:00— report_created — created