Indirect prompt injection

Affected tools

• RAG assistants
• Browser-based AI agents
• AI copilots with tool access
• Automations that read web content

How it usually happens in the browser

• An AI workflow fetches web pages, emails, tickets, or docs as context for an answer.
• The fetched content includes hidden or subtle instructions aimed at the model.
• The model treats those instructions as higher priority than the user’s request or system rules.
• If the agent has tools, it may browse, click, summarize, or exfiltrate data based on those instructions.
• The user trusts the output because it appears to be sourced from legitimate content.

What traditional defenses miss

• Teams assume “reading the web” is safe for AI tools, but the web is adversarial.
• Hidden instructions can be embedded in HTML/CSS, comments, or low-visibility text.
• Tool-enabled agents make indirect injection more dangerous because they can take actions, not just answer questions.
• Standard web security controls don’t account for instruction-following vulnerabilities in LLM workflows.

Mitigation checklist

• Sanitize and label retrieved content; strip hidden text and isolate content from instructions.
• Constrain tool access and use allowlists for retrieval sources where possible.
• Add “instruction filtering” layers that treat retrieved text as data, not directives.
• Require human confirmation for actions that change state (send email, approve access, modify settings).
• Continuously test indirect injection vectors in your retrieval and agent pipelines.

How isolation helps

• Isolation reduces endpoint exposure when users browse unknown pages that they plan to feed into AI tools.
• It provides a safer boundary for web exploration and investigation by running content in isolated containers and deleting sessions afterward.
• Isolation complements AI-side mitigations by reducing the overall risk of interacting with untrusted web content.

FAQs.