How does prompt injection in an agent differ from injection in a chat interface, and why is it OWASP LLM Top-10 #1?
Explain what prompt injection is in the context of an LLM agent, how it differs from prompt injection in a pure chat application, and why it ranks first in OWASP's LLM Top-10.
Prompt injection hijacks an agent into obeying untrusted content. In an agent the blast radius scales with tool permissions, so defence is layered, not a single fix.
Imagine you hire an assistant who does whatever any note tells them, no matter who wrote it. In a chat app the assistant can only talk, so a sneaky note just makes them say something wrong. But an agent assistant also has keys to your files, your email, and your bank. Now a sneaky note hidden inside a web page or a document the assistant reads can tell it to delete files or email your secrets, and it obeys, because it cannot tell your real orders from instructions someone hid in the stuff it was asked to read. The hidden note problem is the dangerous one, because nobody typed the bad command. We cannot fully fix this at the model level yet, so we stack defences: treat everything read as untrusted, give the assistant the fewest keys possible, and make a human approve anything risky.
Detailed answer & concept explanation~8 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
Define injection, explain why the agent blast radius equals tool scope, contrast direct with indirect injection, state why it is unsolved at the model layer, then walk the defence in depth stack: untrusted data handling, least privilege, human approval, sandboxing, provenance, schemas, and monitoring.
Real products, models, and research that use this idea.
- Anthropic's Claude computer use and agent SDKs document indirect injection risk and recommend least privilege tools plus human approval on high impact actions.
- GitHub Copilot and Cursor coding agents sandbox code execution and gate destructive file or shell actions behind user confirmation to contain a hijacked edit loop.
- OpenAI's Operator and browser agents constrain navigation and require user confirmation before sensitive actions like purchases or form submissions.
- The OWASP LLM Top-10 lists prompt injection as LLM01 and prescribes privilege separation, input handling, and human oversight rather than a single fix.
- Microsoft 365 Copilot enforces tenant permission boundaries so a poisoned document cannot make the agent read data the user could not already access.
What an interviewer would ask next. Try answering before peeking at the approach.
QHow would you architect a coding agent that can run shell commands but cannot exfiltrate source code?
QWhy does treating retrieved content as untrusted data not fully solve indirect injection on its own?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Claiming a single input filter or a strong system prompt solves prompt injection. There is no model layer fix today, so the only real defence is layered controls around the agent.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.