Prompt Injection

An attack that hides instructions in content an agent reads, hijacking its behavior against its principal's intent.

term

Prompt Injection

category

identity

short_def

An attack that hides instructions in content an agent reads, hijacking its behavior against its principal's intent.

long_def

The term was coined by Simon Willison in September 2022, framed as the LLM analogue of SQL injection. Because agents act on the text they ingest, malicious or invisible instructions on a page ('ignore previous instructions and...') can manipulate them. Hidden agent-only text is therefore an anti-pattern indistinguishable from an attack; trustworthy sites keep their machine layer transparent.

see_also

agent-experience web-bot-auth

etymology_origin

Coined and defined by Simon Willison on 12 September 2022 ('Prompt injection attacks against GPT-3'), naming it after SQL injection; the underlying GPT-3 vulnerability was demonstrated by Riley Goodside the prior day.

related_to

agent-experience web-bot-auth agent-identity

contrast_with

Unlike jailbreaking, where a user coaxes a model to break its own rules, prompt injection plants instructions in third-party content the agent later reads — the attacker is not the user.

example

Simon Willison coined 'prompt injection' on 12 September 2022, framing it as the LLM analogue of SQL injection.

source

https://simonwillison.net/2022/Sep/12/prompt-injection/

status

active

why_it_matters

Prompt injection is the reason hidden agent-only text is an anti-pattern; an agent-ready site keeps its machine layer transparent and signed, not cloaked.

sameAs

https://en.wikipedia.org/wiki/Prompt_injection

bridge_entity

protocols/identity/web-bot-auth

last_verified

2026-06-15

md_twin

/glossary/prompt-injection.md

← all The Agentic Web Lexicon · .md · JSON