Prompt injection in multi-agent systems

Black Hat: prompt injection on multi-agent LLM systems bounded by agent permissions Black Hat
TL;DW
  • Prompt injection power is bounded by agent permissions—control planner output controls plans; control tool-use agent controls tool execution.
  • Observability is critical: collect telemetry at LLM-to-code seams (where system prompt meets dynamic content) to detect attacks early.
  • Mirror system prompt patterns (markdown, spacing, tool argument names) when crafting prompt injections for higher success rates.
  • Data exfiltration often requires chaining LLM compromise with infrastructure hacks (CSP bypasses, expired domain purchases, credential misuse).
  • Stored prompt injections via RAG documents can persistently infect user long-term memory, enabling lateral platform attacks across multiple users.
  • Use lightweight prompt guards (Purple Llama's 300M-parameter model on CPU) for fast detection on dynamic content only, not full prompts.
  • Enforce tool-call policies: orchestrators must validate that agents call tools in standard ways with correct arguments and permissions.
  • LLM-as-judge with few-shot examples of platform-specific prompt injections generates medium-to-weak detection signal when deployed in parallel.
  • Scope agent capabilities per task: grant minimal permissions for each session, revoke after completion to limit blast radius.
  • Attacks are non-deterministic—prompt injections failing initially doesn't mean success is impossible; attackers retry dozens to hundreds of times.

Maps the attack surface across orchestration frameworks with five CVEs—VS Code Copilot, Outlook Copilot, Salesforce agents—showing kill chains from RAG poisoning to CSP-bypass exfiltration. Defenses focus on context firewalls, scoped per-session capabilities, and telemetry at LLM-to-code boundaries.