
Key facts.
- Greshake et al. demonstrated indirect prompt injection compromising real LLM-integrated applications by hiding instructions in retrieved data, which acts as arbitrary code the model follows. source
- The attack requires no direct access, only the ability to get malicious content into data the system will retrieve. source
- Legal agents read privileged, confidential and opposing-party material, so the documents they process are a realistic injection vector. source
- A privileged document an agent reads can hide an instruction it obeys (Greshake); a bigger model only widens what a leaked-privilege incident exposes. (arXiv:2302.12173)
Why is legal confidentiality especially exposed?
Because the agent's core function is to read documents and in law those documents include the most protected material there is. Greshake's indirect prompt injection works precisely by planting instructions in content the system retrieves, so the very act of having the agent read a document is the moment a hidden instruction can take hold and no direct access to the agent is needed. A legal agent reviewing a contract, summarizing a discovery production or analyzing opposing-party materials is reading exactly the kind of untrusted external content where such an instruction could be embedded and if it lands, the agent can be steered to disclose privileged communications, confidential client data or work product. A privilege breach is among the gravest failures in legal practice: it can waive protection, expose strategy, violate ethical duties and harm the client irreparably. The agent's helpfulness, reading and acting on documents, is the same surface that makes this exposure real.
The confidentiality risk also runs internally, without any attack. An agent with broad access to a firm's privileged materials can disclose them across matters, to the wrong party or in an output that should have been restricted, simply by being asked a question whose honest answer crosses a confidentiality boundary it was not built to respect.

What protects privilege?
Isolation of access and strict output control, with the documents treated as untrusted. Scope the agent's access so it can only reach the privileged material a specific task requires, treat every document it reads as potentially carrying injected instructions and validate every output against confidentiality and privilege boundaries before it is produced. Keep matters and clients isolated so the agent cannot bridge privilege between them and gate any output that would disclose protected material. The Greshake work shows that simply reading a document can be the attack, so the protection has to assume the input is hostile and the output must be controlled, which is the only posture that keeps privileged material from leaking through the agent that was built to read it.
| Posture | Privilege exposure |
|---|---|
| Broad access, documents trusted, output unchecked | Hidden instructions or honest answers leak privilege |
| Isolated access, documents untrusted, output controlled | Privileged material stays protected |
Controlling that access and output is part of what VibeModel does as the Pattern Intelligence Layer. We model the patterns of a legal task's legitimate access and authorized disclosure, treating documents as untrusted, so a legal agent reads and analyzes privileged material without becoming the channel that leaks it.
Frequently asked questions
How can reading a document be an attack?
Indirect prompt injection hides instructions in retrieved content, which the model obeys. Greshake showed this compromises real applications without direct access.
Is the risk only external?
No. An agent with broad access can leak privileged material across matters or to the wrong party with no attack, just by answering a question.
Why is a privilege breach so serious?
It can waive protection, expose strategy, breach ethical duties and harm the client irreparably, making it among the gravest failures in legal practice.

