zero-click-injectiona crafted email or document is auto-processed and the agent obeys a hidden payload with no user click.tool-result-poisoninga tool returns text that secretly tells the agent to leak data or take a bad action.self-propagating-worma payload tries to copy itself into the next agent or message, spreading on its own.a2a-protocol-exploitone agent sends a poisoned message to another agent in an agent-to-agent setup.function-schema-injectionmalicious instructions are hidden inside a tool’s name or description.
Attack Strategies
Protocol Exploitation: Attack Strategy
These attacks abuse the machine-to-machine plumbing of an AI agent: the tools it calls, the data those tools return, and the messages agents pass to each o
What it is: These attacks abuse the machine-to-machine plumbing of an AI agent: the tools it calls, the data those tools return, and the messages agents pass to each other. The attacker never talks to the model directly. They poison the pipes.
How the attacks work: The attacker hides instructions inside content the agent fetches or processes on its own, like an email, a web page, a tool result, or a message from another agent. When the agent reads that content as part of doing its job, it follows the hidden instructions as if they came from the user.
Real examples from the framework: