![[2602.22450] Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.22450] Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace
Summary
The paper discusses the security risks posed by implicit prompt injection in large language model (LLM) agents, demonstrating how adversarial instructions can lead to sensitive data leaks without detection.
Why It Matters
As LLMs increasingly automate tasks, understanding their vulnerabilities is crucial for developing robust security measures. This research highlights the need for enhanced defenses against implicit prompt injection, which can compromise sensitive information, thereby informing future AI safety protocols.
Key Takeaways
- Implicit prompt injection can lead to significant data leaks in LLM agents.
- Malicious web pages can induce agents to exfiltrate sensitive information without detection.
- Defenses at the prompt level are insufficient; system and network-level controls are necessary.
- Sharded exfiltration techniques can bypass simple data loss prevention mechanisms.
- Architectural improvements like provenance tracking are essential for enhancing security.
Computer Science > Cryptography and Security arXiv:2602.22450 (cs) [Submitted on 25 Feb 2026] Title:Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace Authors:Qianlong Lan, Anuj Kaul, Shaun Jones, Stephanie Westrum View a PDF of the paper titled Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace, by Qianlong Lan and 3 other authors View PDF HTML (experimental) Abstract:Agentic large language model systems increasingly automate tasks by retrieving URLs and calling external tools. We show that this workflow gives rise to implicit prompt injection: adversarial instructions embedded in automatically generated URL previews, including titles, metadata, and snippets, can introduce a system-level risk that we refer to as silent egress. Using a fully local and reproducible testbed, we demonstrate that a malicious web page can induce an agent to issue outbound requests that exfiltrate sensitive runtime context, even when the final response shown to the user appears harmless. In 480 experimental runs with a qwen2.5:7b-based agent, the attack succeeds with high probability (P (egress) =0.89), and 95% of successful attacks are not detected by output-based safety checks. We also introduce sharded exfiltration, where sensitive information is split across multiple requests to avoid detection. This strategy reduces single-request leakage metrics by 73% (Leak@1) and bypasses simple data loss prevention mechanisms. Our ablatio...