
Key facts.
- Indirect prompt injection was demonstrated against real apps (Bing Chat, GPT-4 code completion) by planting instructions in retrievable content (Greshake et al., 2023).
- The attack surface is retrieval itself: the malicious instruction sits in content the agent fetches, not in what the user typed.
- PoisonedRAG reached a 90% attack success rate with just five injected documents in a knowledge base of millions (PoisonedRAG, USENIX Security 2025).
Why can't the model just ignore instructions in documents?
Because to the model, a retrieved document and your prompt are the same thing: tokens in a context window. There's no native boundary that says "treat this part as data and that part as a command." Attackers exploit exactly this. They write a paragraph that looks like ordinary content to a human and reads as an instruction to the model, then place it where your agent retrieves it. The agent isn't malfunctioning. It's doing what the text said.

Trusting retrieval vs. tainting it
| Trusting retrieval | Tainting retrieval |
|---|---|
| Retrieved text treated as safe context | Retrieved text treated as untrusted |
| Hidden instructions executed | Instruction-like content flagged |
| Actions ungated after retrieval | Sensitive actions gated after ingestion |
VibeModel's Pattern Intelligence Layer recognizes retrieved content that behaves like an instruction and the agent behavior that follows it, the hidden command gets caught before it drives an action. You retrieve what you need; we make sure a document can't quietly become your agent's new orders.
Frequently asked questions
Does this only affect RAG?
No. Any retrieved content qualifies: search results, emails, tickets, scraped pages. RAG is just the most common channel.
Can I sanitize the documents?
Partly, and it helps, but determined attackers hide instructions in ways filters miss. Treat retrieval as tainted and gate the dangerous actions downstream.

