Stage 3: Instruction/Input Weaponization

Attacker embeds explicit instructions directly in the user input (prompt).

Why It Works

• LLMs are instruction followers by design. They are trained to obey imperative text, so commands inside normal content can still be executed.

• Instruction hierarchy is often simulated, not enforced. The model guesses which text has authority, so attacker wording can appear higher priority.

• “User intent” is treated as authoritative. The model tries to satisfy the goal it perceives, so reframing can make unsafe actions seem intended.

Conceptual attacker patterns

• Attackers insert commands that redirect the model’s focus. The model often privileges recent or explicit instructions, which lets these overrides take effect.

• Attackers label their injected text as the “top priority.” The model may elevate that text above earlier guidance because it tries to follow stated importance.

• Attackers tell the model to disregard existing constraints. The model still tries to reconcile the contradiction, which can weaken guardrail enforcement.

• Attackers hide commands inside quotes, code, or structured text. The model may still treat these embedded blocks as actionable instructions.

Defender blind spots

• Defenders often rely on keyword matching or known jailbreak patterns. This misses alternate phrasing and structural tricks that achieve the same effect.

• A refusal message does not mean the model ignored the malicious input. The model still processed it, which can leak reasoning or behavior.

• Developers often expect system instructions to override everything else. The model still considers all visible text, so attacker inputs can influence its reasoning.

Attacker places instructions inside data the model later consumes.

Examples of data channels with instructions

• RAG documents

• PDFs

• Emails

• Tickets

• Logs

• Wiki pages

• CSV fields

Why is this a highly dangerous technique

• No confrontation with safety logic. The model sees the content as reference material, not a request to evaluate.

• No “ignore rules” language. The text avoids typical jailbreak triggers and blends into normal data.

• Appears as trusted enterprise data. The model assumes retrieved context is safe and authoritative.

• Often persists across users. Injected content can influence many sessions long after the initial attack.

The core failure

The model treats retrieved text as context and instructions, not untrusted input.

Key insight

RAG turns stored data into a delayed execution channel that persists across sessions.

This is the AI equivalent of

• Stored XSS. Malicious content sits in storage until a system executes it.

• SQL injection via trusted table. Poisoned data inside a safe source influences downstream logic.

• Supply‑chain compromise. A trusted component carries attacker-controlled modifications that spread impact.

Instructions are hidden inside

• JSON

• YAML

• Markdown

• Tables

• Comments

• Metadata

• Natural-language explanations

Why it works

• Large language models interpret meaning rather than strictly following syntax. They do not treat format boundaries as security barriers.

• Even when content appears to be just data, the model still tries to extract intent. This makes these structures unreliable as protective layers.

Typical smuggling actors

• Description fields. These often hold free-form text that the model trusts as context.

• Comments. These are assumed to be harmless, but the model reads them as part of the input.

• Footnotes. Supplemental notes can embed instructions that appear secondary but still influence output.

• Column headers. Labels can include wording that reframes how the model interprets the data.

• Error messages. Diagnostic text can carry commands that the model treats as guidance.

Structured formats shouldn’t be assumed to be safer.

Tool argument poisoning is when valid tool inputs smuggle instructions that later get executed because they are mistaken for trusted internal data.

Examples (high‑level)

• Instructions in text fields such as descriptions, notes, and comments. These free‑form fields can hide imperatives that later look like legitimate task parameters.

• Ambiguous filters. Vague or flexible filter values can contain phrasing the model interprets as instructions instead of constraints.

• Natural language passed to powerful APIs. Human‑readable text can accidentally act as commands when forwarded into systems expecting strict parameters.

• Free‑text parameters interpreted as commands. Any field that accepts open text can carry instructions the system treats as actionable input.

Why it works

• Tools are often over‑privileged. They can execute actions far beyond what the model should be allowed to trigger.

• Validation is weak or absent. Inputs are rarely checked for intent, formatting safety, or hidden directives.

• No provenance tagging as user‑generated text. The system cannot distinguish trusted internal data from attacker-supplied instructions.

• The agent trusts the tool output. It assumes the result is safe and authoritative, even if it contains injected instructions.

• The model is trusted to “do the right thing.” This assumption lets malicious arguments pass through without scrutiny.

The model is now a command generator for real systems. This turns poisoned arguments into real operational actions.

Attacker plants instructions intended to be remembered, reused, or reinforced later. This is weaponization aimed at persistence, even before execution.

Why it works

• Memory systems rarely filter instructional content. They store attacker text as helpful information rather than potential manipulation.

• Memory feels helpful, not dangerous. Systems treat stored content as personalization, which lowers scrutiny.

• Memory often bypasses future safety checks. Retrieved memories are treated as trusted context instead of fresh user input.

• Memory is delayed execution plus persistence. Saved instructions can influence future sessions long after the attacker is gone.