What it is: Tricks that target setups where AI agents talk to or hand work to each other. The attacker abuses the trust between agents instead of attacking one alone. How the attacks work: Agents tend to trust messages from other agents. An attacker can pose as a trusted agent, pass along poisoned instructions, or push a harmful request through a chain so each step looks normal. Real examples from the framework:
  • agent-delegation-abuse misuses one agent’s power to make it hand off harmful tasks to another.
  • agent-impersonation pretends to be a trusted agent to slip in bad instructions.
  • agent-session-smuggling hides malicious content inside a shared agent session.
  • cascading-jailbreak breaks one agent and lets the bypass spread to others down the line.
  • agent-collusion gets agents to work together toward a harmful goal.
Why an AI might fall for it: Agents often treat each other as safe by default and skip the checks they apply to user input. A request that passed one agent looks pre-approved to the next. Trust chains hide the original bad intent. How to defend: Verify the identity of any agent before acting on its messages. Re-check safety on every hand-off, not just at the entry point. Limit each agent’s permissions so a single compromise cannot cascade.