Attacks and threats
Indirect prompt injection
Indirect prompt injection hides malicious instructions in third-party content an agent reads, such as a web page, email, or tool result, rather than in the user's own message.
Also called: tool injection, tool-output injection
Definition
What is indirect prompt injection?
In indirect prompt injection, the attacker never talks to the agent directly. Instead they plant instructions in content the agent will later ingest: a web page it browses, an email it summarizes, a document in a knowledge base, or the output of a tool it calls. When the agent processes that content, it treats the hidden instructions as if they were legitimate.
This is the dominant threat for tool-using agents, because agents are built to read the outside world. A poisoned search result or a booby-trapped file can hijack an agent that the user fully trusts. Defending against it means treating every tool result and external document as untrusted input, and enforcing policy on the actions the agent takes after reading it, not just on what the user typed.
FAQ
Common questions.
How is indirect prompt injection different from direct prompt injection?
Direct injection comes from the user's own input. Indirect injection comes from third-party content the agent reads later, such as a web page, email, or tool output, so it can compromise an agent the user completely trusts.
How do you defend against tool-output injection?
Treat every tool result and external document as untrusted, inspect the tool calls the agent makes after reading it, and enforce policy on those actions. Governing the action layer contains an injection even when the model is fooled.
Related terms
Keep reading.
Govern the actions, not just the vocabulary
AxioRank scores every tool call your agents make for leaked secrets, PII, destructive operations, and prompt injection, checks it against your policy, and proves it in a tamper-evident audit log. Start free, no card.