What it is: These attacks abuse the machine-to-machine plumbing of an AI agent: the tools it calls, the data those tools return, and the messages agents pass to each other. The attacker never talks to the model directly. They poison the pipes. How the attacks work: The attacker hides instructions inside content the agent fetches or processes on its own, like an email, a web page, a tool result, or a message from another agent. When the agent reads that content as part of doing its job, it follows the hidden instructions as if they came from the user. Real examples from the framework:
  • zero-click-injection a crafted email or document is auto-processed and the agent obeys a hidden payload with no user click.
  • tool-result-poisoning a tool returns text that secretly tells the agent to leak data or take a bad action.
  • self-propagating-worm a payload tries to copy itself into the next agent or message, spreading on its own.
  • a2a-protocol-exploit one agent sends a poisoned message to another agent in an agent-to-agent setup.
  • function-schema-injection malicious instructions are hidden inside a tool’s name or description.
Why an AI might fall for it: The model trusts tool output and other agents the same way it trusts the user. It cannot easily tell real data from injected commands. How to defend: Treat all fetched content and tool results as untrusted data, never as instructions. Require human approval for risky actions. Validate tool schemas and isolate agents.