Indirect Prompt Injection

Indirect prompt injection is prompt injection sneakier cousin. Instead of the malicious instructions being in the skill own definition, they are concealed in data that the skill processes. A web page the agent reads, a file it opens, an email it summarizes, a database record it queries. The attack payload sits in the data, waiting for an agent to ingest it.

This is fundamentally harder to defend against because the skill is doing exactly what it is supposed to do. A web scraping skill is supposed to read web pages. A file analysis skill is supposed to read files. The problem is that the data those skills return contains concealed instructions that the agent follows.

Aguara indirect injection rules detect skills that are particularly vulnerable to this attack: skills that process untrusted external content without sanitization, skills that pass raw web content to the agent context, skills that read files from untrusted sources and include the contents in their responses, and skills that combine multiple data sources in ways that increase the injection surface.

Indirect injection exploits the core value proposition of AI agents: processing information from multiple sources and taking action on it. Every time your agent reads a web page, opens a document, checks an email, or queries an API, it is potentially ingesting an attack payload that will influence its subsequent behavior.

The reason this is specific to AI agents (and not traditional software) is that traditional software processes data according to fixed logic. A web scraper extracts specific fields from a page. It does not follow arbitrary instructions embedded in the HTML. But an AI agent interprets everything it reads as potential context for its next action.

The attack is especially potent with MCP because agents often chain capabilities together. An agent might use a web scraping capability to fetch a page, then use a file writing capability to save a summary, then use an email capability to send the summary. An indirect injection in the web page can influence any of those downstream actions.

If you are building skills that process external content, strip or sanitize the content before returning it to the agent. Remove HTML comments, concealed text, non-visible characters, and metadata that could contain instructions. Return only the meaningful content that the user asked for.

Skill authors should also consider what their output might influence. If your skill returns web page content and the agent might use that content to make decisions or take actions, you have a responsibility to sanitize that content. Add a warning in your response indicating that the content is from an untrusted source.

As a user, be cautious about giving your agent write or execution capabilities when it is processing untrusted data. If your agent is summarizing web pages, it should not also have access to your filesystem or email. Separate read-only research tasks from write/execute tasks, and do not combine untrusted data processing with sensitive actions in the same agent session.