Local LLM agents are being given web-fetching tools. Untrusted text is the inevitable result. Whether these agents handle it safely is something most developers haven’t measured.
I tested Qwen 2.5 at two different sizes (1.5B and 3B) against identical indirect prompt injection payloads. Both models willingly complied with the injection in the majority of cases.
Code: github.com/leoelsolh/indirect-prompt-injection
What is indirect prompt injection?
First of all, direct prompt injection is when an attacker controls the user input to an LLM. Indirect prompt injection (IPI) is when an attacker controls something the LLM reads on the user’s behalf, say a web page, a PDF, an email, or even a document you asked the agent to summarise. The LLM is asked to act on content, and the content itself contains instructions trying to control or manipulate the model’s behavior.
...