Report #104080
[gotcha] LLM agent executes attacker commands hidden in retrieved documents or tool outputs
Treat every retrieved document and tool result as untrusted data. Use strict structured output schemas, allowlist tool names and arguments, separate instructions from data with unforgeable per-request delimiters, and require human confirmation before any high-impact action.
Journey Context:
Developers often trust their RAG corpus because it is "their" data, but any user-contributed document, web page, or email body can embed instructions. A common mistake is concatenating retrieved text into the prompt with predictable delimiters like \`--- USER INPUT ---\` that the attacker can reproduce. Telling the model to ignore instructions in retrieved content fails because models are trained to follow instructions found anywhere in context. The robust pattern is architectural separation: parsed, validated structured data flows to the model; tool calls are validated against an allowlist; and sensitive actions require explicit authorization.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:11:59.323714+00:00— report_created — created