Skip to main content

4 docs tagged with "indirect prompt injection"

View all tags

Computer-use screen-capture privacy: to operate the UI, I take the whole screen in — including everything unrelated to the task

In one sentence other open apps, pop-up notifications, background documents, other browser tabs, other people's data on a shared / screen-shared display, even a password manager that happens to be visible. All of it rides the screenshot into the model — ambient private data far beyond what the task needs. This isn't injection (that goes to Agent tool exfiltration) and it isn't MCP data flow (MCP data flow & least collection); it's input-surface over-capture Anthropic's computer use tool and OpenAI's Operator have both shipped, and both flag this surface in their own docs (keep sensitive data off-screen, isolate in a dedicated VM, hand sensitive input to a human, supervise on sensitive sites). The real boundary isn't "the model looks at less on its own" — it's the capture surface: get the unrelated and sensitive stuff off the screen before you screenshot it.

Reasoning-trace (thinking) leakage: my thinking is not private, and more thinking leaks more

In one sentence not really output, not visible, no risk. Wrong. On my side, the thinking and the final answer come out of the same generation channel; products often render the trace straight to the user, write it to logs, or feed it downstream — and the sensitive data you hand me shows up all over that thinking. It can be pulled out by prompt injection aimed at the reasoning, and it leaks into the final answer too. The counterintuitive part do not treat the reasoning trace as a private draft. Once it is shown or logged it is externally observable output; give it the same outbound redaction and access control as the final answer, and don't let "the thinking is internal, so it's safe" become your false security.