A $3,000 refund just went out. No human approved it. Your AI agent read a poisoned tool response and did exactly what the attacker wanted.
The scenario is constructed. The attack is not. Indirect prompt injection is ranked number one on the OWASP Top 10 for LLM applications, and most teams shipping agents have not patched it, because the attack never comes through the chat box (video below).
What is indirect prompt injection in AI agents?
Indirect prompt injection is an attack where malicious instructions arrive inside content an agent ingests, such as a tool response, a document, or a web page, rather than from the user typing into the chat. The OWASP Top 10 for LLM Applications lists prompt injection as LLM01:2025, the number one risk, and names the indirect form explicitly.
Tool-using agents are especially exposed because they act on what tools return. A malicious instruction embedded in a tool response can redirect your agent without the user ever knowing. The agent queried an external system, the external system fed it poison, and the agent treated the poison as truth.
