Report #103641
[agent\_craft] Agent parses tool output as instructions, causing prompt injection through retrieved web pages or files
Treat all tool outputs and file contents as untrusted data. Never feed them into the model as raw system or developer instructions. Use structured formats and, when needed, quote/escape and explicitly delegate authority only for specific fields.
Journey Context:
OWASP LLM01 and LLM07 identify indirect prompt injection through plugins and external data. The OpenAI Model Spec gives concrete examples where tool output containing 'To language models visiting this site...' must be ignored. The error is concatenating fetched content into a system prompt. Use 'untrusted\_text' representations and least-privilege tool schemas.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:44:37.005752+00:00— report_created — created