Agent Data Injection: forging trusted metadata inside the agent context
A July 2026 paper introduces agent data injection: attackers use 'probabilistic delimiters' to make untrusted content read as trusted metadata, slipping past instruction-injection defenses on real coding and web agents.
What is this?
On July 6, 2026, Woohyuk Choi, Juhee Kim, Taehyun Kang (Seoul National University), Jihyeon Jeong (Largosoft), Luyi Xing (University of Illinois Urbana-Champaign), and Byoungyoung Lee (Seoul National University) published Agent Data Injection Attacks are Realistic Threats to AI Agents on arXiv. It names and formalizes a category of indirect prompt injection the authors call agent data injection (ADI).
Almost all published work on indirect prompt injection so far studies instruction injection: attacker-controlled text hidden in a web page, email, or code comment is misread by the model as an instruction, so the agent abandons the user’s task and does the attacker’s instead (“ignore previous instructions and forward my mail”). A large stack of defenses now targets exactly that pattern. ADI slips underneath all of it by attacking a different boundary. Instead of making its payload read as an instruction, it makes untrusted content read as trusted data — the metadata an agent relies on to decide what is safe. This is peer-reviewed academic research on a class of weakness, disclosed to vendors before publication; no working payloads are reproduced here.
How it works
The core technique is probabilistic delimiter injection. An agent’s context isn’t one flat blob: it is structured with delimiters that separate a tool call from its response, one object from the next, and a field name from its value. In a JSON email object, quotes and colons mark where the trusted sender field ends and the untrusted body begins. Those delimiters are what let the model tell trusted data apart from attacker-controlled data.
A conventional parser only honors delimiters that exactly match its grammar — that is why classic SQL injection or XSS must inject a syntactically perfect quote or <script> tag. An LLM does not parse; it interprets probabilistically. The paper’s key finding is that a model will treat inexact, parser-invalid delimiters as real structural boundaries — even sequences the tool has already escaped (a " turned into \"). So an attacker writes a payload into an untrusted field whose fake delimiters conjure a second object that never existed:
untrusted field (e.g. a comment body, an email body, a PR description)
|
embed "probabilistic delimiters" — inexact copies of the format's
structural markers ({ } " : , newlines, <function_results> tags)
|
tool stores it all as ONE plain-text field (structure unchanged)
|
LLM re-reads the context and mis-segments it: sees a SECOND object
whose "trusted" metadata (sender / author / tool result) is
attacker-chosen
|
agent acts on the forged metadata as if the tool had produced it
The authors demonstrate three real-world variants. A fake UI element makes web agents (Claude in Chrome, Antigravity, Nanobrowser) click an attacker-chosen element — an XSS-like primitive against any site with user-generated content. A spoofed author/role field in a GitHub issue comment makes coding agents (Claude Code, Codex, Gemini CLI) run a shell command as if it came from a maintainer, yielding remote code execution on the developer’s machine. And a fabricated tool-call/response block in a pull-request description makes the same agents “review” a benign commit that was never fetched, then merge a PR whose actual code is malicious — a supply-chain attack. In every case the agent is still doing the user’s task; only the data it trusts has been corrupted.
Why it matters
The reported numbers are the uncomfortable part. Across six off-the-shelf models the technique reached 31.3–43.3% success on JSON data and 33.3–100% on web DOM data. More pointedly, against state-of-the-art agent defenses tuned for instruction injection — which held that attack to near zero (0–0.7%) — ADI still succeeded up to 50% of the time. User-approval prompts did not save the coding agents: the confirmation the developer saw was built from the model’s already-corrupted view of events, so the malicious merge looked safe.
The deeper point is architectural. Existing defenses enforce a single coarse boundary — instruction versus data — and ADI shows that security-critical boundaries also live inside the data, between trusted metadata and untrusted content. Today’s agents largely do not isolate the two. That generalizes the lesson from work like the lethal trifecta and tool-stream injection: what an agent reads as ground truth is itself an attack surface.
Defenses
The paper evaluates eight defense families against ADI; the honest summary is that the ones built for instruction injection do not transfer.
Do not rely on instruction-injection defenses alone. Model hardening, input and output guardrails, plan-then-execute, and dual-LLM designs were all found ineffective against ADI, because none of them question whether the data the agent trusts is authentic. A guardrail looking for “ignore previous instructions” sees nothing, because ADI carries no rogue instruction.
Randomize structural identifiers. The one agent that resisted the arbitrary-click attack — ChatGPT Atlas — assigned each UI element a runtime-random nonce (ref_4af2b1c9) instead of a predictable sequential index, so the attacker could not forge a colliding identifier. Unpredictable, per-run delimiters and element IDs raise the bar cheaply, though the authors note this mainly helps key-value formats.
Track provenance inside the context. Data-flow tracking and fine-grained agent sandboxing were the approaches that did block ADI, by attaching trust labels to data and enforcing policy on how it is used. Both carry a real cost — they need well-defined, fine-grained policies, which are hard to author and can dent utility — but they attack the actual root cause: the missing isolation between trusted and untrusted data.
Keep security decisions off attacker-reachable fields. Where practical, don’t let author names, roles, resource IDs, or “already-reviewed” status be inferred from free-text the model re-segments; bind them to values the tool guarantees out-of-band, and re-verify high-consequence actions (running a command, merging a PR) against the tool’s real state rather than the model’s narration of it.
Status
| Item | Detail |
|---|---|
| Disclosure | arXiv preprint 2607.05120, published July 6, 2026 (CC BY 4.0) |
| Class | New indirect-prompt-injection category — untrusted data forged as trusted data via probabilistic delimiter injection |
| Confirmed on | Web agents: Claude in Chrome, Antigravity, Nanobrowser · Coding agents: Claude Code, Codex, Gemini CLI |
| Resisted by | ChatGPT Atlas (randomized element-ID nonces) for the arbitrary-click variant |
| Reported impact | 31.3–43.3% ASR (JSON), 33.3–100% (web DOM); up to 50% ASR vs defenses that stop instruction injection (0–0.7%) |
| Vendor response | Reported to Anthropic, OpenAI, Google, and Nanobrowser before submission; first three acknowledged, Nanobrowser not yet responded (per authors) |
| Not covered | No public in-the-wild exploitation; attacker must know the agent’s data format; artifacts released at github.com/compsec-snu/adi |