# Prompt Injection

> Prompt injection is an attack where untrusted content carries instructions an LLM then follows — overriding its task, leaking data, or triggering tool calls.

**Prompt injection is the attack of smuggling instructions into content an LLM processes, so the model follows the attacker's intent instead of its task — the LLM-era descendant of SQL injection, ranked the #1 LLM application risk by OWASP.**

The root cause is structural: a model's context mixes trusted instructions and untrusted data in the same medium (text), and the model has no hard boundary between them. **Direct** injection comes from a hostile user; the sharper threat is **indirect** injection, where instructions hide in things the system reads — a webpage, a document, an email, tool output. For [agents](/glossary/ai-agent) with tools, that escalates from wrong answers to wrong *actions*: exfiltrated secrets, malicious tool calls, poisoned memory.

Because the model layer can't fully solve it, defense is architectural: scope tools to least privilege, gate dangerous actions with [deterministic checks outside the model](/glossary/guardrails), treat every fetched byte as untrusted, and keep humans on irreversible operations. The working playbook is [Defending Against Prompt Injection](/guides/ai-safety/defending-prompt-injection); auditing an existing app for exposure is the [prompt-injection-auditor](/agents/quality-security/prompt-injection-auditor) agent's job.

---

_Source: https://agentscamp.com/glossary/prompt-injection — Term on AgentsCamp._