Skills
Agent Data Injection is a new attack class your prompt-injection guardrails do not catch
A paper submitted 6 July 2026 defines Agent Data Injection (ADI): rather than hijacking what the agent does, the attacker corrupts which resources it acts upon, by injecting probabilistic delimiters that make untrusted data read as trusted metadata (resource IDs, data origin, tool-call history). On agents where classic instruction injection is nearly dead (0.0–0.7% success), ADI still succeeds 49.1% of the time. Llama Guard 2 input guardrails let 50.0% through and LlamaFirewall output guardrails let 45.4% through — neither can distinguish a corrupted action from a legitimate one.
↳ Follow the thread