Skills
Wrap untrusted content in boundary tokens (spotlighting) before it ever reaches agent memory
Spotlighting explicitly marks untrusted input with boundary tokens that signal 'this is data, not instructions,' and applies that structural isolation before any external content is written to memory or acted on. Benchmarks show a 30–40% reduction in injection success rate on its own — free to implement and additive on top of classifier-based defenses. For any agent that reads retrieved web pages, tickets, or emails, this is the cheapest first layer; prompt injection remains the #1 agentic vulnerability of 2026, so treat it as one layer of defense-in-depth, not a fix.
Source
↳ Follow the thread