arXiv — SoK: prompt injection attacks on agentic coding assistants

2026-01-30 • Category: Research

What it is: a Systematization of Knowledge (SoK) on prompt injection against agentic coding assistants (tools + filesystem + shell + web + skill ecosystems).
Key framing: as assistants become agents, indirect prompt injection becomes “text → actions” (tool calls), not just “text → outputs”.
Taxonomy contribution: proposes a three-dimensional classification (delivery vectors, modalities, propagation behaviors) to unify scattered prior taxonomies.
Attack surface map: catalogs techniques spanning tool poisoning, protocol exploitation, multimodal injection, and cross-origin context poisoning.
Evidence synthesis: the paper’s meta-analysis argues many defenses degrade sharply under adaptive attackers (i.e., attacks that iteratively probe and bypass guardrails).
Practical takeaway: it pushes “defense-in-depth” and architectural separation (policy gates / least privilege / auditing) over brittle prompt filtering.

Why it matters

Security teams need a shared vocabulary: without a consistent taxonomy, it’s hard to prioritize controls, write tests, or even agree on what “prompt injection” means for agents.
Tool ecosystems behave like extension ecosystems: marketplace dynamics (copy/paste skills, forks, unofficial servers) can turn one bad integration into a repeatable exploit pattern.
Evaluation beats vibes: the paper’s framing is a reminder that “blocked in one demo” ≠ “mitigated”; you need adversarial tests and regressions.

Build an agent threat model: enumerate tools, secrets reachable by tools, and which inputs are attacker-controlled (issues/PRs/docs/web/email).
Introduce a policy enforcement point: require explicit allowlists / user confirmation for high-risk tool actions (write/delete, network egress, credential access).
Constrain tool blast radius: run tools with least privilege (sandboxed working dir, minimal tokens, separate identities per tool) and log everything.
Add “agentic prompt injection” tests: treat prompt injection like SQLi/XSS: keep a small adversarial suite and run it in CI for every agent/prompt/tool change.