Skip to content

Prompt Injection Is a Credential-Exfiltration Attack

TL;DR

  • Prompt injection is a repeatable 3-stage credential-exfiltration kill chain: an injection lands, the agent reads a secret it can reach, and the secret leaves through a channel the agent is allowed to use.
  • Two structural defenses you can ship today carry the most weight: starve the read (keep the secret out of the agent's reach) and constrain the egress (allowlist output channels). A third — separating control from data (CaMeL, dual-LLM) — attacks the one leg you can't drop, but isn't general yet. None is complete.
  • Input classifiers help in depth but can't be the load-bearing control — EchoLeak bypassed Microsoft's XPIA classifier in a zero-click chain. The strongest current research, including CaMeL and the Anthropic Files-API attack, confirms that no reliable general solution exists with today's LLMs.

OWASP describes prompt injection as an attack that makes an LLM "behave in unintended ways." For an agent with tools and secrets, that framing is too mild. Prompt injection changes an AI agent's behavior by inserting instructions into the data the agent processes; indirect prompt injection plants those instructions inside content the agent ingests as part of its job — an email, a pull request, a web page — rather than through the direct prompt. Through the credential lens it becomes a credential-exfiltration kill chain: the attacker never touches the console, yet the agent's own permitted channels carry API keys, tokens, or environment secrets out of the building. The broader class is data exfiltration; credentials are simply its highest-value payload, and that is the payload this piece follows.

How do AI agents leak API keys via prompt injection?

The kill chain has three stages, and real-world exploits have demonstrated all three in a single zero-click sequence.

Stage 1 — Injection lands. The attacker delivers a payload inside content the agent is designed to process. EchoLeak (CVE-2025-32711) used a malicious email read by Microsoft 365 Copilot. The email contained a markdown image link with a crafted query string — no user interaction required. The payload entered the agent's context purely through retrieval-augmented generation (RAG) [^1].

Stage 2 — The agent reads reachable data. Copilot's RAG retrieved private mailbox data and embedded it into the prompt context — EchoLeak exfiltrated data, the general form of this stage. Credentials are the highest-value instance of the same reachable target: an API key in an environment variable, a token in a tool description, or a credential inside an ingested document. Claude Code CVE-2025-55284 is the credential instance of the pattern — a malicious instruction in a repository file caused the agent to read a .env file and extract API keys [^2].

Stage 3 — The secret leaves through an allowed channel. The EchoLeak payload instructed Copilot to auto-fetch a markdown image whose URL contained the exfiltrated data; Microsoft's own Content Security Policy was bypassed because the fetch resolved through a trusted domain. Claude Code CVE-2025-55284 used DNS exfiltration: the agent ran a ping or nslookup with the secret encoded in the subdomain, and the DNS query — an allowed network call — carried the data out. In both cases the egress channel was permitted by design.

MITRE ATLAS technique AML.T0086, "Exfiltration via AI Agent Tool Invocation," published in October 2025 by Zenity Labs with MITRE, formalizes this third stage as a distinct technique under the Exfiltration tactic [^3]. OWASP LLM01:2025 Prompt Injection documents the same pattern: its example shows an injected markdown-image link carrying private data out through an auto-fetched URL [^4]. The same class of agent-controlled channels generalizes it — DNS lookups, URL-preview unfurling, allowlisted API calls — each an egress the agent is permitted to use.

The chain is repeatable because each stage exploits a capability the agent legitimately possesses. The attacker does not break cryptography, escalate privileges, or find a model zero-day. The agent is simply doing what it was asked to do, with instructions it cannot distinguish from its task.

What is indirect prompt injection?

Direct prompt injection — a user typing a malicious instruction into a chat interface — can jailbreak a model or change its single-session behavior, but it rarely yields a third-party credential. Indirect prompt injection is the credential-theft vector because the payload rides in on content the agent processes automatically: an email, an issue comment, a web page fetched by a tool, or a result returned by an MCP server.

The mechanism was first described by Greshake et al. in "Not what you've signed up for" (2023) [^5], which named indirect injection and identified data theft as a first-class consequence. Simon Willison later explained the root cause: LLMs cannot reliably distinguish the provenance of instructions. Everything — the system prompt, the user message, the retrieved document, the tool output — is glued into one token sequence, so an instruction hidden inside a fetched web page carries the same syntactic authority as the developer's system prompt [^6].

This is why indirect injection scales. An attacker leaves a payload in a public issue; a coding agent that reads the issue to triage it may execute the instruction, read a secret from the CI environment, and exfiltrate it. "Comment and Control," personal research by Aonan Guan (2026), demonstrated a multi-stage credential-theft chain across Claude Code, Gemini CLI, and GitHub Copilot in CI — all initiated by a comment in a repository [^7]. For an agent whose job is to read untrusted content, you cannot simply drop the middle leg of Willison's lethal trifecta — but you can neutralize its authority (Defense C, below).

How do you stop an AI agent from exfiltrating secrets?

Willison's lethal trifecta says an agent is at risk whenever three conditions coexist: private data, untrusted content, and external communication [^6]. Neutralize any one leg and the attack collapses. No defense truly removes a leg — it neutralizes it: starving the read takes the secret out of context (leg 1), constraining the egress narrows the channels (leg 3), and separating control from data blunts the untrusted content itself (leg 2). The first two you can ship today; the third — Defense C — is where the frontier lives.

Defense A — Starve the read

If the agent never sees a secret, injection has nothing to steal. This is least privilege applied to context: strip credentials from environment variables, tool descriptions, and retrieved documents before they enter the prompt. OWASP LLM01 explicitly recommends context segregation and least-privilege access to data [^4]. The strongest form is the never-in-context pattern — keep the secret in a resolver outside the model and inject it only at the point of an authorized tool call, so it never enters the LLM's context at all [see a credential the LLM never sees].

Limit. Starving the read removes the key from the model's reach, not the authority the key grants. A resolver that injects the credential below the model can still be driven, by a poisoned instruction, to make an authorized, damaging call — burn the paid quota, act with the credential's power. And the confused-deputy problem remains: the agent can be told to use an authorized channel to fetch data it is allowed to reach and exfiltrate that. The secret's absence from the prompt does not remove the agent's power to act.

Defense B — Constrain the egress

Once an agent has ingested untrusted input, the output channels must be restricted so no consequential action can be triggered by that input. The rule, from the "Design Patterns for Securing LLM Agents" survey and relayed by Willison, is blunt: "once an LLM agent has ingested untrusted input, it must be constrained so that it is impossible for that input to trigger any consequential actions" [^11][^6]. In practice that means an egress allowlist: block DNS exfiltration, disable markdown-image auto-fetch, prevent URL-preview unfurling, and restrict tool calls to a narrow set of pre-approved endpoints.

Limit. An allowlist is a capability grant. Anthropic's engineering team put it bluntly: "Every function reachable through any domain on an allowlist is now an attack surface" [^8]. The Files API attack proved it — a smuggled key caused Claude to read other files in the mounted workspace and upload them through the allowlisted api.anthropic.com endpoint. The authorized channel became the exfiltration path. An egress allowlist shrinks the attack surface; it does not eliminate it, because any channel the agent can use for legitimate work can be turned against it.

Why input classifiers are not the answer

Input-filtering asks a model or a separate classifier to detect malicious intent. Classifiers are useful in depth — Anthropic ships them as one layer — but they cannot be the load-bearing control: EchoLeak bypassed Microsoft's XPIA classifier entirely, the payload being a markdown image link rather than an obvious instruction [^1]. This is the structural point: a structural control removes the capability to exfiltrate; a classifier only infers whether a capability will be misused. Inference is bypassable; capability removal is not.

Defense C — separate control from data (the frontier)

The third leg — untrusted content — is attacked by separating control flow from data, so injected instructions can never steer the program. This is the most credible current direction, and it is not yet free or general. CaMeL (Google DeepMind / ETH Zürich, 2025) does exactly this: it separates control flow from untrusted data and enforces capabilities at tool-call time. On the AgentDojo benchmark, CaMeL solved 77% of tasks while preserving security, against 84% for an undefended agent — a meaningful mitigation, not a solution [^9]. Willison's read: it is a real step forward, and 77% is not 100% [^10].

The design-patterns survey by Beurer-Kellner et al. (2025) is equally direct: "As long as both agents and their defenses rely on the current class of language models… it is unlikely that general-purpose agents can provide meaningful and reliable safety guarantees" [^11]. Each structural pattern trades generality for safety; none closes the gap.

The confused-deputy ceiling is the hard bound. Anthropic's containment uses an egress allowlist as a core defense, yet the Files API attack showed an allowlisted, authenticated channel can still be exploited when the agent is tricked into using it [^8]. The agent holds legitimate authority; the attacker's instructions redirect it. As long as the agent can act on behalf of its principal, the ceiling holds.

Where Mnemoverse fits

Starving the read — never-in-context — is the category Mnemoverse builds toward: keep credentials out of the model's context and resolve them only at the authorized point of use. That is the modest claim; it is one move among three, and none of them makes every tool invocation safe.

Common questions

What is the 3-stage credential-exfiltration kill chain for prompt injection?

Stage 1: an injection lands inside the agent's context. Stage 2: the agent reads a reachable secret (API key, token, credential). Stage 3: the secret leaves through an allowed channel — DNS, image fetch, URL preview, or an authorized tool call. OWASP LLM01 and MITRE ATLAS AML.T0086 both describe this pattern.

How do AI agents leak API keys via prompt injection?

Indirect injection plants a payload in content the agent processes (email, issue, web page). The payload instructs the agent to retrieve a secret from its environment and exfiltrate it through a channel the agent is permitted to use — an auto-fetched image URL, a DNS lookup, or an allowlisted API call. Real-world examples include EchoLeak (CVE-2025-32711) and Claude Code CVE-2025-55284.

What is indirect prompt injection?

Indirect prompt injection, first named by Greshake et al. (2023), occurs when an attacker embeds instructions in data an agent ingests — an email, a pull request, a web page — rather than typing into a prompt. The agent cannot distinguish the provenance of that content, so the injected instructions alter its behavior. This is the primary vector for credential theft at scale against third-party agents.

How do you stop an AI agent from exfiltrating secrets?

Two structural defenses you can ship today carry weight — starve the read (keep secrets out of the agent's reach) and constrain the egress (allowlist the output channels) — plus a third, separating control from data (CaMeL, dual-LLM), that attacks the leg you can't drop but isn't general yet. None is complete. Input classifiers help in depth but can't be the load-bearing control — EchoLeak bypassed Microsoft's XPIA classifier. Today, no reliable general solution exists with current LLMs.

What is MITRE ATLAS AML.T0086?

AML.T0086, "Exfiltration via AI Agent Tool Invocation," is a MITRE ATLAS technique published in October 2025 in collaboration with Zenity Labs. It describes the tactic where an attacker uses an agent's own tools to move secrets out of the environment — exactly the egress stage of the credential-exfiltration kill chain.

Can you fully prevent prompt injection?

No. The strongest published defense, CaMeL, achieves 77% task success with provable security on the AgentDojo benchmark, not 100%. The design-patterns survey by Beurer-Kellner et al. concludes that as long as agents and defenses rely on the current class of language models, meaningful and reliable safety guarantees are unlikely. Even an allowlisted egress channel can become the exfiltration path, as shown by Anthropic's Files API attack.


Mnemoverse Library — persistent memory for AI agents, written for engineers who need memory to be useful, bounded, and verifiable.

[^1]: EchoLeak — discovered and disclosed by Aim Labs (Aim Security), June 2025; CVE-2025-32711 (NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32711). Technical analysis: Reddy & Gujral, "EchoLeak: The First Real-World Zero-Click Prompt Injection Exploit in a Production LLM System," arXiv:2509.10540 (Sep 2025). [^2]: Johann Rehberger, "Claude Code Exfiltration via DNS Requests," Embrace The Red, 2025. CVE-2025-55284, CVSS 7.1. https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/ [^3]: Zenity Labs, "Zenity Labs and MITRE ATLAS Collaborate to Advance AI Agent Security," October 21, 2025. https://zenity.io/blog/current-events/zenity-labs-and-mitre-atlas-collaborate-to-advances-ai-agent-security-with-the-first-release-of [^4]: OWASP, "LLM01:2025 Prompt Injection." https://genai.owasp.org/llmrisk/llm01-prompt-injection/ [^5]: Greshake et al., "Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection," AISec '23. arXiv:2302.12173. [^6]: Simon Willison, "The lethal trifecta: private data, untrusted content, and external comms," June 16, 2025. https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ [^7]: Aonan Guan, "Comment and Control: Prompt Injection Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot," personal research, April 2026. https://oddguan.com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/ [^8]: Anthropic, "How we contain Claude." https://www.anthropic.com/engineering/how-we-contain-claude — see also "Prompt injection defenses," https://www.anthropic.com/research/prompt-injection-defenses [^9]: "Defeating Prompt Injections by Design" (CaMeL), Google DeepMind / ETH Zürich. arXiv:2503.18813. [^10]: Simon Willison, "CaMeL offers a promising new direction for mitigating prompt injection attacks," April 11, 2025. https://simonwillison.net/2025/Apr/11/camel/ [^11]: Beurer-Kellner et al., "Design Patterns for Securing LLM Agents against Prompt Injections," 2025. arXiv:2506.08837.