Why it matters

Every LLM app has context boundaries. Smuggling exploits weak enforcement. Understanding shapes safe design.

Advertisement

The architecture

Boundary confusion: user input placed adjacent to system instructions; LLM can't distinguish.

Markup abuse: user input includes markers app uses to delimit sections.

Context smugglingUntrusted inputwith app markersInsufficient escapingapp doesn't sanitizeLLM interpretsas trustedStructured delimiters (JSON, special tokens) more resistant than markdown
Smuggling mechanism.
Advertisement

How it works end to end

Defenses: strict input escaping, use structured formats (JSON) that LLMs recognize as data, model-provided delimiters (special tokens).

Newer instruction hierarchy training helps but doesn't eliminate.