
Key facts.
- Model output hitting a browser, database, or shell can execute as XSS, SSRF, or a command. Validate before it reaches any downstream system.
- A markdown image URL in output is a real exfiltration channel when the client auto-fetches it, EchoLeak showed this in production.
- Output validation has to match the destination: escape for HTML, parameterize for SQL, allow-list for shell, before the output is used.
- Concede a frontier model its excellence and its output still runs as XSS or a command: EchoLeak's image leaked Copilot data, the incident in the output you skipped.
Why isn't input validation enough?
The agent is now a source of untrusted content. Even with clean inputs, the model can produce something malicious, from an injection that slipped through, a hallucination, or a deliberate adversarial prompt. Trusting output because it came from your own agent is the same mistake as trusting any unvalidated string. The browser doesn't know it came from an LLM. It runs it.

Trusted output vs. validated output
| Trusted output | Validated output |
|---|---|
| Output rendered or run as-is | Output escaped for its destination |
| Markdown exfiltration possible | Auto-fetch links stripped or gated |
| Injection expresses in output | Malicious output neutralized |
VibeModel's Pattern Intelligence Layer flags output that matches a dangerous pattern for its destination, an exfiltration link, a script payload, a destructive command, before it leaves the agent. You validate per destination; we catch the malicious output the validator wasn't expecting. Both directions of the boundary deserve the same suspicion.
Frequently asked questions
What's the most overlooked output risk?
Auto-rendered markdown and HTML. An image or link in the output can pull data the instant a client renders it. EchoLeak is the production example.
Do I validate even agent-to-agent output?
Yes. The receiving agent is a downstream system. Unvalidated output is how one compromised agent infects the next.

