Bypassing LLM Supervisor Agents Through Indirect Prompt Injection
Praetorian describes an indirect prompt injection technique against a multi-agent customer service system where a supervisor model screened only the user’s chat message, while the primary chat agent also consumed profile data injected later into the final prompt. By placing adversarial text in a user-controlled field such as the account name, the researchers caused the downstream model to interpret profile metadata as instructions, enabling behaviors like system-prompt disclosure or false privilege assertions without tripping the supervisor. The root cause is architectural rather than model-specific: supervision happened before prompt enrichment, and the assembled context had no hard boundary separating untrusted data from executable instructions. The write-up is useful for teams deploying LLM guardrail patterns because it recommends concrete mitigations such as inspecting the fully assembled prompt, treating all user-editable fields and retrieved content as untrusted, adding structural delimiters/sanitization, and validating outputs for policy-breaking responses.