Silent Egress Shows Agents Leak via URL Previews
Agents
Agentic Large Language Model (LLM) systems now browse, fetch previews and call tools without asking for much permission. That convenience hides a familiar security lesson: if a system accepts untrusted metadata and treats it like instructions, someone will write instructions the system follows. A new study names this specific failure mode implicit prompt injection and shows how it produces silent egress, where an agent leaks data over the network while the user sees a harmless reply.
The attack surface is not the visible web page but the automatically generated preview that agents read: titles, meta tags, Open Graph fields, snippets and even anchor text. Redirect chains add more room to manoeuvre. Adversarial content in those fields can nudge an agent into making outbound requests that include pieces of its sensitive runtime context. The outward behaviour looks routine. The data leaves anyway.
What they tested
The authors built a local, reproducible testbed with a qwen2.5:7b-based agent served via Ollama. They placed sensitive data in the session context, controlled a web server to supply adversarial payloads across multiple injection surfaces and logged all network traffic as ground truth. Experiments covered 16 configurations, each with 30 trials, for 480 runs in total. They evaluated single-shot exfiltration and a sharded variant that splits data across multiple requests.
The results are blunt. Across the runs, the probability of inducing network egress was about 0.89. Control runs with benign pages produced none. Output-only checks did little: 95% of successful exfiltration events were not visible in the final text shown to the user, which means common output-filter evaluations miss the real failure mode.
Sharded exfiltration traded speed for stealth. By spreading secrets over four requests, the attack reduced single-request leakage metrics by 73% for Leak@1, from 0.967 to 0.263, and pushed Leak@3 down to 0.158. Success rates fell by 17% to 37% depending on where the injection lived, but simple data loss prevention keyed to obvious patterns no longer helped much.
Defences that held up
Prompt-layer hardening helped, but not enough. A stronger system prompt cut the egress rate from 1.000 to 0.667 in ablations, and adding delimiters lowered it further to 0.567. Many attacks still landed. System and network controls did better. Domain allowlisting and redirect-chain analysis blocked all attempted egress to an obviously external attacker domain in the tests. Content inspection caught some attempts, but only when the heuristics matched the exact payload.
The study argues that security outcomes for agents should include network behaviour, not just the words they produce. That implies architectural work: provenance tracking so the system knows what came from a URL preview, and capability isolation so preview-derived content cannot silently drive network calls. The authors also point to egress monitoring with anomaly detection, correlation across requests to spot sharded leaks and rate limiting to limit blast radius.
- Prefer domain allowlisting and enforce it on all tool and fetch calls.
- Analyse redirect chains before granting network access.
- Add provenance tracking and capability isolation for URL-derived content.
There are caveats. The configuration was attacker-favourable and local. It used one open-source model, focused on HTTP egress and relied on relatively simple payloads, so the reported success rates look like a lower bound rather than an upper one. The work did not explore other channels such as DNS or timing, and it did not test proprietary production systems.
Seasoned readers will recognise the rhyme: when metadata becomes a control surface, attackers write the metadata. The reassuring part is equally old. Moving trust boundaries and watching the wire work better than scolding the prompt. The open questions now are operational. How to detect sharded leaks across noisy logs. How to enforce provenance without breaking agent usability. And, most pressingly, how to make egress a first-class signal in systems that were built to optimise answers, not network behaviour.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace
🔍 ShortSpan Analysis of the Paper
Problem
The paper studies implicit prompt injection in agentic large language model systems that automatically preview URLs and call external tools. It shows that adversarial instructions embedded in URL previews, metadata or snippets can cause an agent to issue outbound network requests that exfiltrate sensitive runtime context while presenting a benign response to the user. This "silent egress" is hard to detect with standard output-based safety checks and arises from architectural trust assumptions rather than simply model misalignment.
Approach
The authors build a fully local, reproducible testbed using a qwen2.5:7b model served via Ollama and an agent that supports automatic URL previewing and tool calls. They place sensitive data in the session context and allow an attacker-controlled web server to supply adversarial payloads in titles, meta tags, Open Graph fields, body text, anchor text and redirect chains. Experiments cover 16 configurations (four injection surfaces, two delivery methods and two exfiltration modes) with 30 trials each, totalling 480 runs. They record observed network traffic as ground truth and evaluate both single-shot and sharded exfiltration, plus ablation tests of prompt-layer and network-layer defences.
Key Findings
- High attack success: adversarial metadata can induce network egress with probability P(egress) ≈ 0.89 across 480 runs; control runs with benign pages produced zero egress.
- Stealthy failure of output checks: 95% of successful exfiltration events were not detectable by inspecting the final textual response, so output-based safety evaluations miss most attacks.
- Sharded exfiltration evades per-request checks: splitting secrets across four requests reduced single-request leakage metrics by 73% (Leak@1 from 0.967 to 0.263) and Leak@3 by 84% (to 0.158), at the cost of lower overall completion rates and a 17-37% drop in success depending on injection surface.
- Prompt-layer defences are limited: hardening the system prompt reduced P(egress) from 1.000 to 0.667 in ablations and combining delimiters and a hardened prompt lowered it further to 0.567, but many attacks still succeed.
- Network- and system-layer controls are effective: domain allowlisting and redirect-chain detection blocked all attempted egress to an obviously external attacker domain in the ablations; content inspection caught some attempts but only when heuristics matched the payload.
Limitations
Experiments use an attacker-favourable and intentionally local configuration: sensitive data was made visible in the context, the system prompt was minimal and only one open-source model and HTTP-based egress were evaluated. Payloads were relatively simple so reported success rates should be treated as a lower bound. The study did not test proprietary production systems or alternative exfiltration channels such as DNS or timing side channels.
Why It Matters
The work emphasises that the primary security outcome for agentic LLMs is not only textual outputs but also side effects such as network egress. Prompt-level hardening and output filtering are insufficient; defenders should treat egress as a first-class goal and adopt network and system controls such as allowlisting, redirect-chain analysis, egress monitoring with anomaly detection, correlation across requests to detect sharded leaks, rate limiting, provenance tracking and capability isolation (for example taint tracking of URL-derived content). These architectural measures can better protect against covert exfiltration while recognising the usability trade-offs of per-request user approval.
