How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition

Abstract

LLM based agents are increasingly deployed in high stakes settings where they process external data sources such as emails, documents, and code repositories. This creates exposure to indirect prompt injection attacks, where adversarial instructions embedded in external content manipulate agent behavior without user awareness. A critical but underexplored dimension of this threat is concealment: since users tend to observe only an agent's final response, an attack can conceal its existence by presenting no clue of compromise in the final user facing response while successfully executing harmful actions. This leaves users unaware of the manipulation and likely to accept harmful outcomes as legitimate. We present findings from a large scale public red teaming competition evaluating this dual objective across three agent settings: tool calling, coding, and computer use. The competition attracted 464 participants who submitted 272000 attack attempts against 13 frontier models, yielding 8648 successful attacks across 41 scenarios. All models proved vulnerable, with attack success rates ranging from 0.5% (Claude Opus 4.5) to 8.5% (Gemini 2.5 Pro). We identify universal attack strategies that transfer across 21 of 41 behaviors and multiple model families, suggesting fundamental weaknesses in instruction following architectures. Capability and robustness showed weak correlation, with Gemini 2.5 Pro exhibiting both high capability and high vulnerability. To address benchmark saturation and obsoleteness, we will endeavor to deliver quarterly updates through continued red teaming competitions. We open source the competition environment for use in evaluations, along with 95 successful attacks against Qwen that did not transfer to any closed source model. We share model-specific attack data with respective frontier labs and the full dataset with the UK AISI and US CAISI to support robustness research.

Figures (16)

• Figure 1: ASR by model across the competition (wave 1 and wave 2) in decreasing order. ASR is computed by successful attacks / total attempts.
• Figure 2: Overview of Indirect Prompt Injection Arena. An attacker embeds malicious instructions in external data sources (emails, code files, webpages) that the agent processes during task execution. Successful attacks must satisfy a dual objective: execute the harmful action and conceal the fact of being compromised in the final agent response. We evaluate this threat across three agent settings: tool use, coding, and computer use.
• Figure 3: Example scenario. A user asks their assistant to check for urgent emails. The injection point is indicated by {fill} in the spoofed marketing email's content within the tool output. The injection instructs the agent to mark a critical deadline email as read and exclude it from the summary. The right side shows a successful attack: the agent executes the harmful action while presenting a benign email summary to the user.
• Figure 4: Cumulative successful attacks per model as a function of attempts. Break counts increase approximately linearly for all models, indicating that the ratio of successful breaks to total attempts remains roughly constant throughout the competition rather than diminishing or increasing over time. Total breaks per model shown in parentheses.
• Figure 5: ASR by agentic setting for each model. Three bars per model represent tool use (solid), coding (hatched), and computer use (dotted). Models without image support (SecAlign 70B, DeepSeek V3.1, Kimi K2 Thinking) lack computer use bars. Models are ordered by decreasing overall ASR.