LogJack — Indirect Prompt Injection Through Cloud Logs Against LLM Debugging Agents
AI relevance: LLM-powered debugging agents that read cloud logs and auto-execute remediation commands create a new indirect prompt injection surface — where attacker-controlled log entries become the injection vector.
Researcher Harsh Shah published LogJack (arxiv:2604.15368), the first systematic study of indirect prompt injection targeting LLM debugging agents that consume cloud log data. The paper introduces a benchmark of 42 payloads across 5 cloud log categories and evaluates 8 foundation models.
Key findings
- High execution rates: Under active conditions, verbatim command execution ranges from 0% (Claude Sonnet 4.6) to 86.2% (Llama 3.3 70B) across evaluated models.
- Passive instructions help but don't solve it: Adding "do not execute fixes" reduces most models to 0% — but Llama 3.3 still executes at 30.0%.
- RCE via curl | bash succeeds: Remote code execution through shell piping works on 6 of 8 tested models.
- Cloud guardrails largely fail: Azure Prompt Shield detected only 1 of 32 payloads (the most obvious). GCP Model Armor detected zero. Both detect identical payloads when presented in isolation — meaning the log context defeats the defenses.
- "Sanitize and execute" behavior: A novel pattern where a model detects and strips an obvious malicious component but still executes the remaining injected command — partial defense that still results in compromise.
Why it matters
As organizations deploy LLM agents for automated incident response and debugging, cloud logs become an untrusted data source that agents process with high authority. Attackers who can influence log content (through any application that writes to monitored logs) gain a stealthy injection channel that bypasses both user-facing and vendor-provided guardrails. The "sanitize and execute" behavior is particularly dangerous — it creates false confidence that defenses are working.
What to do
- Treat all log content consumed by LLM agents as untrusted input, regardless of source.
- Require explicit human approval before any agent-executed remediation command.
- Test cloud vendor guardrails against log-embedded injection specifically — isolation testing is not sufficient.
- Consider the LogJack benchmark (github.com/HarshShah1997/logjack) for evaluating your own agent configurations.