Prompt Injection
Also known as: Prompt injection attack, Indirect prompt injection
Attacker text in user input or retrieved content overrides the model's system prompt or hijacks tool calls.
A security vulnerability where adversarial input (in the user message, retrieved document, or tool output) manipulates the LLM into ignoring its instructions or executing unintended actions. Especially dangerous in agentic systems with tool access.
In practice
The OWASP #1 risk for LLM apps. Senior security interviews probe direct vs indirect injection and mitigation patterns (untrusted-data isolation, output validation).
How it compares
Prompt injection is the attack; guardrails are part of the defense.
Related topics
Questions that mention this term
- Spot the injection vulnerabilities in this production prompt template.
- Why is prompt injection more dangerous in an agent than in a chat only LLM?
- Predict the LLM's behavior when a malicious server shadows a trusted tool without host namespacing
- Spot the security mistake in this MCP tool output handling
- In an MCP tool poisoning attack, which field of the tool definition is the primary attack vector and why?
- MCP has tools, resources, and prompts. What makes a resource different from a tool?
Related terms
Agent Loop
The runtime: LLM call → tool call → observation → LLM call → … until a final answer or step cap.
AI Agents
LLMs that loop: plan → call tools → observe results → repeat until done.
Chain-of-Thought (CoT)
Ask the model to think step by step before answering. It boosts accuracy on reasoning tasks.
Context Rot
Long-running chats degrade: early instructions get forgotten, and tool calls become less reliable.
Function Calling
The model emits structured JSON specifying a tool call instead of free text; the host executes it.
In-Context Learning (ICL)
Show the model a few examples in the prompt and it learns the pattern, no fine-tuning needed.