📄 中文摘要
提示注入是一种针对 AI 代理系统的供应链攻击,大多数代理对此并没有防御机制。当代理调用工具(例如读取文件、获取网页或查询 API)时,它会将响应放入上下文中并进行推理。如果响应中包含恶意字符串,例如指示代理泄露用户的 API 密钥,且代理未对外部输入进行验证,它可能会遵循这些指令。这种情况并不是因为代理存在缺陷,而是因为它被告知遵循指令,而这些内容看起来确实像是指令。提示注入的风险在于,攻击者可以利用这一点来操控 AI 代理执行不当的操作。
提示注入:你的 AI 代理可能当前面临的攻击
📄 English Summary
Prompt Injection: The Attack Your AI Agent Is Probably Vulnerable To Right Now
Prompt injection is a supply chain attack targeting AI agent systems, and most agents lack defenses against it. When an agent calls a tool—such as reading a file, fetching a webpage, or querying an API—it takes the response and incorporates it into context for reasoning. If that response contains a crafted string instructing the agent to exfiltrate user API keys, and the agent does not validate external input, it may comply. This compliance is not due to a flaw in the agent but rather because it was instructed to follow commands, which appear legitimate. The risk of prompt injection lies in the ability of attackers to manipulate AI agents into executing inappropriate actions.