[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83901-en":3,"doc-seo-83901-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83901,8796095461610,"Oliver","https://ap-avatar.wpscdn.com/davatar_276721f389ce27ea32af1340a28f341c",8,"Research & Report","Agent Data Injection Attacks Are Realistic Threats to AI Agents","AI agents act on behalf of user prompts by consuming external data and making decisions from agent context. Prior AI agent security work concentrated on indirect prompt injection, especially instruction injection, where untrusted data is treated as an instruction. This paper proposes agent data injection attacks (ADI), where malicious payloads are disguised as trusted data such as security-critical metadata or tool context, leading agents to execute unintended actions. ADI mirrors instruction injection impacts yet bypasses existing defenses and exposes a lack of trusted/untrusted data isolation.","Agent Data Injection Attacks are Realistic Threats to AI Agents  \nWoohyuk Choi∗  \nSeoul National University [00cwooh@snu.ac.kr](00cwooh@snu.ac.kr)  \nJuhee Kim∗  \nSeoul National University [kimjuhi96@snu.ac.kr](kimjuhi96@snu.ac.kr)  \nTaehyun Kang Seoul National University [gangtaeng_parangvo@snu.ac.kr](gangtaeng_parangvo@snu.ac.kr)  \nJihyeon Jeong Largosoft  \n[stellaris08@proton.me](stellaris08@proton.me)  \nLuyi Xing  \nUniversity of Illinois Urbana-Champaign [lxing2@illinois.edu](lxing2@illinois.edu)  \nByoungyoung Lee Seoul National University [byoungyoung@snu.ac.kr](byoungyoung@snu.ac.kr)  \narXiv :2607 .05 120v 1 [ cs .CR] 6 Jul 2026  \nAbstract—AI agents act on behalf of user prompts, consuming external data and taking actions based on the agent context. Prior research on AI agent security has primarily focused on indirect prompt injection (IPI). Its most well-studied category is instruction injection, where attacker-controlled untrusted data is interpreted as an instruction. In response, many mitigationshave been proposed to prevent instruction injection attacks. In this paper, we introduce a new category of IPI, agent data injection attacks (ADI). ADI injects malicious data disguised as trusted data, such as security-critical metadata (e.g., resource identifiers or data origins) or agent context data (e.g., tool call and response formats). As a result, agents unknowingly execute unintended actions based on attacker-controlled data. ADI has similar attack impacts as instruction injection attacks, because it causes agents to misbehave and execute unintended actions. Despite the similar impact, ADI remains underexplored and easily bypasses existing IPI defenses. We found several critical vulnerabilities in real-world agents that allow an attacker to launch various attacks: arbitrary click attacks on web agents (Claude in Chrome, Antigravity, and Nanobrowser), and remote code execution and supply-chain attacks on coding agents (Claude Code, Codex, and Gemini CLI). We evaluate ADI vulnerabilities across off-the-shelf models and AI agents, and find that ADI is effective in both standalone LLMs and AI agent settings. ADI exposes a critical gap in agent security, signifying that current AI agents do not employ a fundamental security principle: current agents do not isolate trusted data from untrusted data.  \n1. Introduction  \nAI agents extend large language models (LLMs) by connecting them with tools that interact with external environments. AI agents are rapidly being adopted in realworld workflows, such as reading emails, browsing the web, and executing code [1–3] . In these workflows, AI agents often process data from various external sources, which may include both trusted (e.g., the author of a comment) and  \n* . Equal contribution  \nattacker-controlled data (e.g., the content of a comment) . As mixing trusted and untrusted data has historically led to security vulnerabilities in traditional systems [4, 5], it is important to understand how AI agents handle such data.  \nPrior research on AI agent security has primarily focused on indirect prompt injection (IPI) [6–8] . Its most well-studied category is instruction injection, where attacker-controlled data is misinterpreted as an instruction. In response, defenses such as model hardening [9, 10], input guardrails [11, 12], and dual-LLM [13, 14] have been proposed. While the technical details vary, the core idea behind these defenses is to separate instructions from agent data, thereby preventing attacker-controlled data from influencing the agent’s behavior.  \nThis paper introduces ADI, a new category of IPI that exploits a different vulnerability, the lack of isolation between trusted and untrusted data. Unlike instruction injection, which causes untrusted data to be misinterpreted as an instruction, ADI causes untrusted data to be misinterpreted as trusted data. This has critical security implications because trusted data often includes security-sensitive metadata such as the ","cbCaim0O7zidlrNb","https://ap.wps.com/l/cbCaim0O7zidlrNb","pdf",3597499,1,19,"English","en",105,"# Introduction\n## Background: Indirect Prompt Injection and Instruction Injection\n## New Attack Category: Agent Data Injection (ADI)\n## Core Technique: Probabilistic Delimiter Injection\n## Real-World Demonstrations and Attack Types\n## Evaluation and Key Findings","[{\"question\":\"What are agent data injection attacks (ADI)?\",\"answer\":\"ADI is a type of indirect prompt injection where attacker-controlled data is disguised as trusted data. The agent then misinterprets it as trusted metadata or context and performs unintended actions.\"},{\"question\":\"How does ADI achieve trusted-data misinterpretation?\",\"answer\":\"ADI uses probabilistic delimiter injection: attackers inject delimiters that corrupt an LLM’s probabilistic interpretation of data structure. This causes attacker values to be treated as structural, security-relevant fields.\"},{\"question\":\"Why do existing instruction-injection defenses not adequately protect against ADI?\",\"answer\":\"Many defenses focus on separating instructions from agent data, but ADI targets isolation between trusted and untrusted data. As a result, ADI can bypass defenses designed for instruction injection patterns.\"}]",1784191323,48,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"agent-data-injection-attacks-are-realistic-threats-to-ai-agents","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/agent-data-injection-attacks-are-realistic-threats-to-ai-agents/83901/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What are agent data injection attacks (ADI)?","Question",{"text":75,"@type":76},"ADI is a type of indirect prompt injection where attacker-controlled data is disguised as trusted data. The agent then misinterprets it as trusted metadata or context and performs unintended actions.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does ADI achieve trusted-data misinterpretation?",{"text":80,"@type":76},"ADI uses probabilistic delimiter injection: attackers inject delimiters that corrupt an LLM’s probabilistic interpretation of data structure. This causes attacker values to be treated as structural, security-relevant fields.",{"name":82,"@type":73,"acceptedAnswer":83},"Why do existing instruction-injection defenses not adequately protect against ADI?",{"text":84,"@type":76},"Many defenses focus on separating instructions from agent data, but ADI targets isolation between trusted and untrusted data. As a result, ADI can bypass defenses designed for instruction injection patterns.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},"General","general"]