Why it matters

Agents can email, spend, act on infrastructure. Hijacked agents cause real damage. Understanding matters for agent security.

Advertisement

The architecture

Tool response injection: attacker controls a service the agent calls; injects instructions in response.

Memory poisoning: attacker plants facts in agent's memory that alter future decisions.

Agent hijack vectorsTool response injectioncompromised APIMemory poisoningplant false factsSession manipulationhijack stateCompromised tool = compromised agent; treat all tool responses as untrusted
Three hijack paths.
Advertisement

How it works end to end

Session manipulation: exploit auth or session handling to inject into ongoing agent conversation.

Chained agents: hijacked sub-agent affects parent's decisions.

Defenses: sandbox tools, treat responses as untrusted, validate memory writes, structural policies on agent actions.