
Key facts.
- The lethal trifecta (private data, untrusted content, external communication) describes when an agent can be tricked into exfiltration; multi-agent systems often have all three internally (Willison, 2025).
- Inter-agent messages are untrusted content to the receiver, so a compromised agent becomes an injection vector for the rest of the team; AgentDojo formalizes this by measuring attacks that hijack agents through the data their tools return (AgentDojo, 2024).
- A gradual multi-turn jailbreak can walk an agent off its task one benign turn at a time, succeeding across GPT-4 and Gemini, so the attack isn't theoretical (Crescendo, 2024).
- A poisoned message becomes a trusted instruction, and a stronger model still obeys: Crescendo lands on GPT-4 and Gemini, an incident per turn. (arXiv:2406.13352)
Why does the next agent trust the poisoned message?
Because it has no reason not to. Agents are usually built to treat peer outputs as collaborative input, not as adversarial data. there's rarely a taint boundary at the handoff that says "this came from an agent that read untrusted content, so treat its instructions with suspicion." Without that boundary, a single compromised agent launders attacker instructions into the team's shared workflow, and each downstream agent acts on them confidently.

Trusting handoffs vs. tainting them
| Trusting handoffs | Tainting untrusted input |
|---|---|
| Peer messages treated as safe | Messages from tainted agents flagged |
| One compromise spreads freely | Compromise contained at the boundary |
| No exfiltration gate | Exfiltration actions require approval after taint |
VibeModel's Pattern Intelligence Layer watches inter-agent messages for the patterns of injection, an instruction where data was expected, a sudden shift in an agent's behavior after reading external content, and contains it at the boundary. You treat peer output as data, not gospel; we flag when that data is trying to give orders.
Frequently asked questions
Isn't this just single-agent injection repeated?
it's worse, because the coordination layer spreads it. One compromise reaches every agent that reads the poisoned message.
How do I contain it?
Treat ingestion of untrusted content as a taint event and gate exfiltration-capable actions downstream of it, even between your own agents.

