New to ShortSpan? We distil the AI-security research that matters into practitioner takeaways — edited by Ben Williams (NCC Group). Get the weekly email
// Analysis

Agent data injection exploits break LLM agents

Agents
Agent data injection exploits break LLM agents

New research shows agent data injection (ADI) lets attackers disguise malicious content as trusted metadata or tool context, pushing Large Language Model (LLM) agents into unintended actions. It bypasses many prompt-injection defences, lands real clicks and code execution, and exploits how agents mix trusted and untrusted data without isolation.

The conversation on agent security has fixated on instruction injection. Useful, but incomplete. This paper puts a name to what many of us have seen in the wild: agent data injection (ADI). Instead of shouting new instructions at a Large Language Model (LLM), the attacker poisons the data the agent treats as trusted metadata or context and lets the plumbing do the rest.

How the attack works

Agents blend system prompts, tool results and external inputs into one big context window. ADI abuses that lack of isolation. The technique the authors highlight, probabilistic delimiter injection, sprinkles delimiter-like tokens into untrusted fields so the model mis-parses them as structural elements: resource identifiers, origins, or even tool-call blocks. The payload does not have to be a perfect delimiter; visually similar or inexact variants still land often enough to matter.

This is not a lab toy. Off-the-shelf models showed attack success rates on JSON between 31.3% and 43.3% and on web DOM between 33.3% and 100.0%, while keeping high benign utility. In other words, the model remains useful, just pliable where it counts.

What gets popped

Web agents first. The team shows arbitrary click attacks against real agents, including Claude in Chrome, Antigravity and Nanobrowser. An attacker-controlled page can embed DOM that the agent interprets as trusted context, nudging it to click attacker-chosen elements. Think unintended purchases or navigation, triggered by content the agent believes it owns.

Coding agents are worse. By spoofing origins or fabricating tool-call blocks inside comments or task text, they coax assistants like Claude Code, Codex and Gemini CLI into executing commands or into unsafe merges. That is remote code execution and supply-chain compromise delivered through what looks like harmless metadata. If your agent assumes a string saying “this came from the linter” actually came from the linter, you are already in trouble.

Most current defences aim at instruction-style strings and largely miss ADI. In the authors’ agent evaluations, instruction injection was basically null under defences, yet ADI still reached up to 50.0% success. Randomising identifiers can cripple JSON attacks if the attacker does not know the nonce. Sanitisation helps but trashes legitimate structure. Strict data flow tracking with hard policies blocked ADI, at the cost of utility. Sandboxes and guardrails reduce blast radius but do not fix the parsing mistake at the heart of this.

The blunt takeaway: agents today do not separate trusted from untrusted data. If an adversary can post or tweak content in your workflows — reviews, pull requests, emails, chat — they can smuggle structure that your agent treats as authority. This one maps cleanly from paper to production; the open question is how to enforce provenance across tools without turning your agent into a very expensive regex.

Additional analysis of the original ArXiv paper

📋 Original Paper Title and Abstract

Agent Data Injection Attacks are Realistic Threats to AI Agents

Authors: Woohyuk Choi, Juhee Kim, Taehyun Kang, Jihyeon Jeong, Luyi Xing, and Byoungyoung Lee
AI agents act on behalf of user prompts, consuming external data and taking actions based on the agent context. Prior research on AI agent security has primarily focused on indirect prompt injection (IPI). Its most well-studied category is instruction injection, where attacker-controlled untrusted data is interpreted as an instruction. In response, many mitigations have been proposed to prevent instruction injection attacks. In this paper, we introduce a new category of IPI, agent data injection attacks (ADI). ADI injects malicious data disguised as trusted data, such as security-critical metadata (e.g., resource identifiers or data origins) or agent context data (e.g., tool call and response formats). As a result, agents unknowingly execute unintended actions based on attacker-controlled data. ADI has similar attack impacts as instruction injection attacks, because it causes agents to misbehave and execute unintended actions. Despite the similar impact, ADI remains underexplored and easily bypasses existing IPI defenses. We found several critical vulnerabilities in real-world agents that allow an attacker to launch various attacks: arbitrary click attacks on web agents (Claude in Chrome, Antigravity, and Nanobrowser), and remote code execution and supply-chain attacks on coding agents (Claude Code, Codex, and Gemini CLI). We evaluate ADI vulnerabilities across off-the-shelf models and AI agents, and find that ADI is effective in both standalone LLMs and AI agent settings. ADI exposes a critical gap in agent security, signifying that current AI agents do not employ a fundamental security principle: current agents do not isolate trusted data from untrusted data.

🔍 ShortSpan Analysis of the Paper

Problem

This paper studies a new class of indirect prompt injection called agent data injection (ADI). ADI occurs when attacker-controlled untrusted content is crafted to be misinterpreted as trusted metadata or structured agent context, causing AI agents to take unintended actions. This matters because AI agents routinely mix system instructions, tool outputs and external data in a single context; unlike prior work that targeted instruction injection, ADI exploits lack of isolation within agent data itself and can bypass many existing defences.

Approach

The authors define ADI formally and introduce probabilistic delimiter injection, a technique that inserts delimiter-like sequences into untrusted fields so that an LLM probabilistically treats injected text as structural trusted data. They implemented proof of concept attacks against real web and coding agents and evaluated ADI in two ways: (1) LLM-only benchmarks over seven data categories and two formats (JSON and web DOM) across six model APIs, measuring benign utility and attack success rate; (2) agent-level evaluation built on an extended AgentDojo suite with 108 ADI attacks, testing multiple defence mechanisms including randomisation, sanitisation, dual-LLM, data flow tracking (CaMeL variants), plan-then-execute, agent sandboxing and input/output guardrails.

Key Findings

  • Off-the-shelf LLMs are broadly vulnerable: baseline attack success rates (ASR) on JSON were 31.3%–43.3% and on web DOM 33.3%–100.0% across models while retaining high benign utility.
  • Probabilistic delimiter injection works even with inexact delimiters; attacks using visually similar or unrelated characters still achieved substantial ASR, though structurally consistent payloads were more effective than inconsistent ones.
  • Real-world agents are exploitable: demonstrated arbitrary click attacks on web agents (Claude in Chrome, Antigravity, Nanobrowser), remote code execution via origin spoofing and command execution on coding agents (Claude Code, Codex, Gemini CLI), and supply-chain attacks by fabricating tool-call blocks to cause unsafe merges.
  • Existing defences tuned to instruction injection largely fail: instruction injection ASR was near zero (0.0%–0.7%) under defences, but ADI reached up to 50.0% ASR in agent evaluations.
  • Some mitigations show partial effectiveness: randomisation of identifiers reduced JSON ASR to near zero when nonces were unknown to attackers; sanitisation reduced ASR but at heavy benign-utility cost; precise data flow tracking with strict policies (CaMeL Strict) prevented ADI but substantially reduced utility.

Limitations

The attacker model assumes knowledge of the agent data format; recovering formats may require direct observation, code inspection, reverse engineering or jailbreak prompting. Defence evaluations expose trade-offs: strong policy enforcement can block ADI but degrades agent utility, and sanitisation harms legitimate structured content. The experiments cover a set of representative agents and tasks but do not exhaust all agent architectures.

Implications

Offensively, an attacker who can post or modify external content (web reviews, issue comments, PR descriptions, emails or chat messages) can inject payloads that the agent treats as trusted metadata. Practical impacts include coercing agents to click attacker-chosen UI elements (leading to unintended purchases), spoofing maintainers to induce execution of arbitrary commands on developer machines, fabricating tool-call histories to merge malicious pull requests, and spoofing email or chat origins to exfiltrate or misattribute content. These attacks broaden the adversary surface beyond instruction injection and show that mixing trusted and untrusted agent data without strict isolation enables high-impact exploits.

// Similar research

Related Research

Get the weekly digest

The few AI-security papers that matter, with the practitioner takeaway. No spam.