TL;DR: I discovered that standard LLM email agents with tool access are highly vulnerable to indirect prompt injection. I built AgentBreak, an open-source workflow security scanner, to map out these attack paths and test them before they hit production. Here is how the exploit works and how to catch it.
The setup
Imagine a realistic email assistant agent built to help manage your inbox. It has six tools: fetch_emails (an EXTERNAL source that pulls unread emails via IMAP), web_search (an EXTERNAL source that scrapes the web for context), summarise_and_plan (an LLM node that decides what to do), draft_reply (an LLM node that writes the response), send_email (an EMAIL_SEND sink that dispatches the message via SMTP), and save_to_notes (a FILE_WRITE sink).
This architecture is incredibly common, but it's also a textbook example of the "Lethal Trifecta" in agentic systems: it ingests external data from the internet, an LLM processes that data without strict sanitisation, and it has access to tools that take irreversible outbound actions.
The attack







