Why is prompt injection more dangerous in an agent than in a chat only LLM?
In a chat LLM, injection only changes what the model says. In an agent, it can trigger real tool calls, so the blast radius scales with the agent's permissions.
Imagine you hire an assistant who reads every letter that arrives and tends to do whatever the most recent instruction says. With a chat only assistant, the worst a forged letter can do is make the assistant say something silly back to you. But now imagine the assistant also holds the keys to your house, your bank app, and your email. If a forged letter slips in an instruction like "wire the money and unlock the door," the assistant might just do it, because it cannot tell your real wishes from text someone hid in the mail. The danger is not really that the assistant got tricked. The danger is what the assistant is allowed to touch once it is tricked. An agent reads untrusted pages and documents, and it can act, so a hidden instruction becomes a real action.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Start by separating susceptibility from consequence, then define blast radius and tie it to tool permissions. Explain indirect injection as the headline agent risk and why the model cannot separate instructions from ingested data. Close with the systemic defences: treat tool output as data, least privilege, human approval, sandboxing, and tracing.
Real products, models, and research that use this idea.
- Anthropic's computer use and Claude Code gate sensitive actions behind explicit approval, because a hijacked desktop or shell agent could otherwise run destructive commands from injected screen or file content.
- OWASP lists prompt injection as the number one risk in its LLM Top 10, and recent guidance stresses indirect injection through retrieved or browsed content as the headline agent threat.
- Browser and research agents like OpenAI Operator and Perplexity research mode read untrusted live web pages, the exact channel where indirect injection payloads are planted.
- Code execution sandboxes such as e2b microVMs and Modal containers isolate agent generated code, limiting blast radius when an injected instruction tries to run a malicious script.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you architect an agent so that reading an untrusted web page cannot trigger a destructive tool call?
QWhy can't you solve prompt injection purely with a better guardrail or classifier model?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating prompt injection as a content moderation problem rather than a privilege problem. The model cannot reliably separate trusted instructions from untrusted data, so defence lives in tool permissions and approval gates, not in a better filter.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.