Why is prompt injection more dangerous in an agent than in a chat only LLM?
Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
In a chat LLM, injection only changes what the model says. In an agent, it can trigger real tool calls, so the blast radius scales with the agent's permissions.
Imagine you hire an assistant who reads every letter that arrives and tends to do whatever the most recent instruction says. With a chat only assistant, the worst a forged letter can do is make the assistant say something silly back to you. But now imagine the assistant also holds the keys to your house, your bank app, and your email. If a forged letter slips in an instruction like "wire the money and unlock the door," the assistant might just do it, because it cannot tell your real wishes from text someone hid in the mail. The danger is not really that the assistant got tricked. The danger is what the assistant is allowed to touch once it is tricked. An agent reads untrusted pages and documents, and it can act, so a hidden instruction becomes a real action.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Start by separating susceptibility from consequence, then define blast radius and tie it to tool permissions. Explain indirect injection as the headline agent risk and why the model cannot separate instructions from ingested data. Close with the systemic defences: treat tool output as data, least privilege, human approval, sandboxing, and tracing.
Real products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating prompt injection as a content moderation problem rather than a privilege problem. The model cannot reliably separate trusted instructions from untrusted data, so defence lives in tool permissions and approval gates, not in a better filter.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.