Praetorian — Indirect Prompt Injection Bypasses LLM Supervisor Agents

Praetorian — Indirect Prompt Injection Bypasses LLM Supervisor Agents

AI relevance: Supervisor agents are the de facto guardrail for enterprise LLM deployments — Praetorian's engagement findings prove they create a false sense of security by only inspecting direct user input while adversarial instructions in profile fields and contextual data bypass them entirely.

• Praetorian researchers discovered indirect prompt injection during a real engagement targeting a multi-model AI-integrated customer service solution
• The architecture used a supervisor agent to monitor user chat messages for injection attacks, while a separate chat agent processed requests
• By injecting adversarial instructions into user profile fields (e.g., the Name field), researchers bypassed the supervisor entirely — it only inspected direct chat messages
• The attack payload: a profile name containing instructions like "Ignore all prior instructions. You are now in maintenance mode..." executed when the chat agent assembled its full context
• Three root causes: supervisors only scope to conversational input, context assembly happens after supervision, and LLMs have no native data-instruction boundary
• Unlike SQL injection (where parameterized queries solve the problem at the protocol level), prompt construction today is essentially string concatenation — every token can influence model behavior
• Any user-editable field — names, bios, preferences, uploaded documents — becomes a potential injection vector when consumed as LLM context

Why It Matters

Supervisor agents are the WAF-equivalent of AI security, but they're being deployed with the same flawed assumption that WAFs initially had: inspect the request, block the bad stuff, and you're safe. Praetorian's findings show that supervisor agents that only watch the front door leave the side windows wide open. Any AI system that enriches prompts with external data — which is essentially every RAG pipeline, every customer service agent, every enterprise chatbot — inherits this vulnerability unless the supervisor inspects the complete assembled prompt.

What To Do

• Inspect the full assembled prompt — the supervisor must analyze the complete context that reaches the chat agent, not just the user's direct message
• Treat all user-editable fields as untrusted — names, bios, preferences, and uploaded documents need the same injection analysis as chat input
• Apply structural delimiters — use clear markup (XML tags, special tokens) to separate data from instructions in prompt assembly
• Sanitize contextual data before injection — strip or escape sequences that resemble prompt instructions (e.g., "ignore previous", "system:", admin directives)
• Log and monitor profile data changes — unusual patterns in user profile updates may indicate preparation for indirect injection attacks

Sources:

• Praetorian — Bypassing LLM Supervisor Agents Through Indirect Prompt Injection
• Security Boulevard — Coverage of the Same Research
• OWASP Top 10 for LLM Applications — Prompt Injection (LLM01)