The instruction your agent obeyed was hidden in a document it retrieved

You never typed it. Your user never typed it. It was sitting in a web page, a PDF, or a support ticket, waiting for your agent to read it as a command.

B

Balagei G Nagarajan

3 MIN READ


An innocent-looking document with a hidden instruction glowing inside it as an agent reads

Key facts.

  • Indirect prompt injection was demonstrated against real apps (Bing Chat, GPT-4 code completion) by planting instructions in retrievable content (Greshake et al., 2023).
  • The attack surface is retrieval itself: the malicious instruction sits in content the agent fetches, not in what the user typed.
  • PoisonedRAG reached a 90% attack success rate with just five injected documents in a knowledge base of millions (PoisonedRAG, USENIX Security 2025).
Any retrieved content qualifies: search results, emails, tickets, scraped pages.
— from "The instruction your agent obeyed was hidden in a document it retrieved"

Why can't the model just ignore instructions in documents?

Because to the model, a retrieved document and your prompt are the same thing: tokens in a context window. There's no native boundary that says "treat this part as data and that part as a command." Attackers exploit exactly this. They write a paragraph that looks like ordinary content to a human and reads as an instruction to the model, then place it where your agent retrieves it. The agent isn't malfunctioning. It's doing what the text said.

Flow diagram showing untrusted content entering retrieval, becoming part of the prompt, and driving an action

Trusting retrieval vs. tainting it

Trusting retrievalTainting retrieval
Retrieved text treated as safe contextRetrieved text treated as untrusted
Hidden instructions executedInstruction-like content flagged
Actions ungated after retrievalSensitive actions gated after ingestion

VibeModel's Pattern Intelligence Layer recognizes retrieved content that behaves like an instruction and the agent behavior that follows it, the hidden command gets caught before it drives an action. You retrieve what you need; we make sure a document can't quietly become your agent's new orders.

Frequently asked questions

Does this only affect RAG?
No. Any retrieved content qualifies: search results, emails, tickets, scraped pages. RAG is just the most common channel.

Can I sanitize the documents?
Partly, and it helps, but determined attackers hide instructions in ways filters miss. Treat retrieval as tainted and gate the dangerous actions downstream.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.