What Is Indirect Prompt Injection in AI Agents?

Indirect prompt injection is an agent exploit where attacker-controlled external content becomes part of model context and overrides intended instructions. The model treats hostile context as operational guidance and executes unauthorized behavior.

This matters because the dangerous input may not come from the user chat box at all. It can come from a synced document, ticket, knowledge-base page, or scraped URL that looks harmless but includes hidden instructions that alter agent decisions.

Think of it like a manager forwarding a legitimate-looking memo that secretly contains a fraudulent payment instruction. The employee follows the memo because it arrived through a trusted channel, not because the instruction was actually safe.

01. [Component: DarkWireframeKey]

As shown in the Policy Gate diagram, the left lane should represent trusted system instructions, and the right lane should represent untrusted fetched content crossing into tool-invocation decisions.

Start free scan | See sample audit

02. Agentic Risk (Cursor, v0, Bolt)

Ubserve 2026 agent assessments showed 16.3% of tool-enabled agent flows lacked context provenance filtering before execution. This creates exploitable instruction precedence inversion.

03. Wrong vs. Right

// WRONG: pass raw page/db content directly to agent tool planner
agent.run({ context: fetchedContent });

// RIGHT: classify + sanitize + isolate untrusted context
agent.run({
  trustedContext,
  untrustedContext: sanitize(fetchedContent),
  allowToolCalls: policyValidated,
});

04. Copy-Paste Fix Prompt for Cursor/Claude

Patch my agent workflow against indirect prompt injection.
1) Identify all external content ingestion points (web pages, docs, DB notes, tickets).
2) Add untrusted-context labeling and instruction filtering.
3) Gate tool calls behind explicit policy checks, not model confidence.
4) Add regression tests with malicious hidden instructions.
Return minimal patch set + test fixtures.