Indirect Prompt Injection: Payloads From Documents, URLs and Tool Output
The variant that travels inside content the LLM reads rather than what the user types. Documented as a serious risk class since the Greshake et al. 2023 paper.
“LLM-integrated applications blur the line between data and instructions, allowing adversaries to remotely affect other users' systems.”
Where the payload lives
RAG corpus
Any source the retriever can index: PDFs, public webpages, ticketing-system attachments, wiki pages. Hidden text and zero-width characters travel through cleanly.
Tool output
Anything an agent reads: search results, email bodies, code-search returns, CRM record notes. Attackers control these surfaces when the agent reaches outside the firewall.
Vendor coverage on indirect
| Vendor | LLM01 | LLM02 | LLM03 | LLM04 | LLM05 | LLM06 | LLM07 | LLM08 | LLM09 | LLM10 |
|---|---|---|---|---|---|---|---|---|---|---|
| Bedrock Guardrails | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Model Armor | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Azure Prompt Shields | ✓ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ |
| Lakera | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ | ✗ | ✗ | ✗ |
| Prisma AIRS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| CalypsoAI | ✓ | ✓ | ✗ | ✗ | ✓ | ✗ | ✓ | ✗ | ✗ | ✗ |
| Pillar | ✓ | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ | ✗ | ✗ | ✗ |
Coverage shown is for LLM01 prompt injection (which subsumes indirect) and adjacent vectors. Indirect-specific filters are an emerging category, not all vendors break it out.
Defensive controls
- Sanitise content before it enters the model context (strip zero-width chars, normalise unicode).
- Run a runtime guardrail on retrieved content, not just user input.
- Limit tool authority: read-only by default, write actions behind a human-in-the-loop.
- Add provenance metadata to every retrieved chunk for downstream attribution.
See /agentic-ai-security for the agent / tool-call variant in depth, and /prompt-injection-examples for concrete indirect payloads.