Indirect prompt injection

Prompt injection delivered via content the LLM retrieves rather than via the user's direct prompt — a poisoned web page, email, document, or tool response that the agent ingests and treats as instructions.

Indirect injection is the more dangerous variant for agentic systems because the attacker never speaks to the user. Any tool that pulls untrusted content (web fetch, email read, document parse) becomes an attack surface. EchoLeak-class cross-agent variants compound this: one agent's output becomes another agent's untrusted input.

Related frameworks

• MTTD-for-Agents →

Articles that analyse this term

• EchoLeak and the cross-agent prompt-injection class

Primary sources

• Greshake et al.. Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection· 23 Feb 2023
• OWASP. Top 10 for LLM Applications — LLM01