Tool output is untrusted input: prompt injection is a data-flow bug

Prompt injection isn’t a prompting problem, so you can’t prompt your way out of it. It’s the same class as SQL injection: data from an untrusted source crosses into a control channel and gets executed as instructions. The web page your agent just fetched, the ticket it just read, the email in its inbox — all of it is attacker-controllable input flowing straight into the one component that can’t tell data from commands. Here’s the data-flow framing, why ‘ignore injected instructions’ can’t work, and the boundary that actually helps.

July 13, 2026 · 8 min · 1517 words · Loop & Retry