Why it matters

Indirect injection is major agent risk. Understanding shapes RAG + tool safety.

Advertisement

The architecture

Attacker plants payload in retrieved content.

LLM ingests as instruction.

Executes attacker goal.

Indirect injection flowAttacker plantsin doc / emailLLM retrievesas contextExecutes payloadinstead of taskBing Chat, Bard, Claude all shown vulnerable in early demos; defenses evolving
Indirect PI.
Advertisement

How it works end to end

Vectors: email, web pages, PDFs, invisible chars.

Defense: content isolation, output monitoring, capability limits.