Why it matters
Indirect injection is major agent risk. Understanding shapes RAG + tool safety.
Advertisement
The architecture
Attacker plants payload in retrieved content.
LLM ingests as instruction.
Executes attacker goal.
Advertisement
How it works end to end
Vectors: email, web pages, PDFs, invisible chars.
Defense: content isolation, output monitoring, capability limits.