Your agent's output is an input to something else, so validate it

Whatever your agent produces gets rendered, executed, or stored downstream. Unchecked output is just injection pointed the other way.

B

Balagei G Nagarajan

3 MIN READ


Agent output flowing into a browser, a database, and a shell, each a place it could execute
Trusting output because it came from your own agent is the same mistake as trusting any unvalidated string.
— from “Your agent's output is an input to something else, so validate it”

Key facts.

  • Model output hitting a browser, database, or shell can execute as XSS, SSRF, or a command. Validate before it reaches any downstream system.
  • A markdown image URL in output is a real exfiltration channel when the client auto-fetches it, EchoLeak showed this in production.
  • Output validation has to match the destination: escape for HTML, parameterize for SQL, allow-list for shell, before the output is used.
  • Concede a frontier model its excellence and its output still runs as XSS or a command: EchoLeak's image leaked Copilot data, the incident in the output you skipped.

Why isn't input validation enough?

The agent is now a source of untrusted content. Even with clean inputs, the model can produce something malicious, from an injection that slipped through, a hallucination, or a deliberate adversarial prompt. Trusting output because it came from your own agent is the same mistake as trusting any unvalidated string. The browser doesn't know it came from an LLM. It runs it.

Funnel diagram showing agent output passing through destination-specific validation before reaching each downstream system

Trusted output vs. validated output

Trusted outputValidated output
Output rendered or run as-isOutput escaped for its destination
Markdown exfiltration possibleAuto-fetch links stripped or gated
Injection expresses in outputMalicious output neutralized

VibeModel's Pattern Intelligence Layer flags output that matches a dangerous pattern for its destination, an exfiltration link, a script payload, a destructive command, before it leaves the agent. You validate per destination; we catch the malicious output the validator wasn't expecting. Both directions of the boundary deserve the same suspicion.

Frequently asked questions

What's the most overlooked output risk?
Auto-rendered markdown and HTML. An image or link in the output can pull data the instant a client renders it. EchoLeak is the production example.

Do I validate even agent-to-agent output?
Yes. The receiving agent is a downstream system. Unvalidated output is how one compromised agent infects the next.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.