arXiv — Agent Data Injection (ADI): New IPI Category Bypasses All Defenses

  • Researchers from Seoul National University and UIUC introduce Agent Data Injection (ADI), a new category of indirect prompt injection (IPI) that exploits a fundamental security gap: current AI agents do not isolate trusted data from untrusted data
  • Unlike instruction injection (where untrusted data is misinterpreted as an instruction), ADI causes untrusted data to be misinterpreted as trusted data — such as security-critical metadata (resource identifiers, data origins) or agent context data (tool call and response formats)
  • The core attack technique is "probabilistic delimiter injection": by injecting delimiters of the data format (e.g., {} for JSON) into untrusted fields, attackers corrupt the LLM's interpretation of data structure, causing it to perceive attacker-controlled values as trusted metadata
  • While classic injection attacks (SQL injection, XSS) require exact delimiter syntax to succeed against deterministic parsers, LLMs interpret data probabilistically — even inexact delimiters (e.g., escaped characters) are probabilistically misinterpreted as structural delimiters
  • The paper demonstrates ADI through three attacks against real-world agents: arbitrary click attacks on web agents (Claude in Chrome, Antigravity, Nanobrowser), and remote code execution and supply-chain attacks on coding agents (Claude Code, Codex, Gemini CLI)
  • For web agents, a fake UI element causes the agent to click attacker-specified elements, effectively making any website with user-generated content vulnerable to XSS-like attacks
  • For coding agents, ADI enables remote code execution by injecting malicious tool call responses that the agent trusts and executes
  • ADI bypasses existing IPI defenses (model hardening, input guardrails, dual-LLM architectures) because these defenses focus on separating instructions from data, not on separating trusted data from untrusted data
  • The researchers evaluated ADI across off-the-shelf models and AI agents, finding it effective in both standalone LLMs and agent settings

Why it matters

This research exposes a critical blind spot in AI agent security. The industry has focused heavily on preventing instruction injection (where attacker data becomes commands), but ADI reveals that even when instructions are properly isolated, agents still fail to distinguish between trusted metadata (like "who wrote this comment" or "what tool returned this result") and attacker-controlled data. The probabilistic delimiter injection technique is particularly insidious because it exploits the fundamental way LLMs parse structured data — it's not a bug in a specific model, it's a structural vulnerability in how LLMs interpret context. The fact that ADI works against production agents (Claude Code, Codex, Gemini CLI) and bypasses all existing defenses means the entire AI agent ecosystem needs to rethink its security model.

What to do

  • Audit your AI agent deployments for trusted/untrusted data isolation — if your agent processes user-generated content or external data, assume it's vulnerable to ADI
  • Implement explicit data provenance tracking: tag all data with its source and enforce strict separation between trusted metadata and untrusted content
  • For web agents: treat all UI elements from user-generated content as untrusted, even if they appear to be legitimate metadata
  • For coding agents: validate tool call responses against expected schemas and reject responses that contain unexpected delimiters or structural elements
  • Monitor for anomalous agent behavior: arbitrary clicks on unexpected elements, tool calls with unusual parameters, or code execution from untrusted sources
  • Follow the research team's recommendations for defense-in-depth: combine input validation, output filtering, and runtime monitoring

Sources: