LUDA HEX

Type to search the docs and blog.

// blog

Prompt injection in agentic AI tooling

The moment you let a language model call tools — read files, hit APIs, run code — every piece of text it reads becomes a potential instruction. Prompt injection stops being a curiosity and becomes a genuine application security problem.

The confused deputy, again

An agent acts with your privileges but takes direction from content it doesn’t control. A malicious web page, document, or email can quietly redirect it. It’s the confused deputy problem wearing a new hat.

Defences that actually help

  • Treat model output as untrusted input to every tool it drives
  • Constrain tool scope with real authorisation, not prompt instructions
  • Keep a human in the loop for anything irreversible

This is just the overview — I’ll be adding more about this in future.

← All posts