Skip to content
ATR-2026-00130highPrompt Injectionexperimental

Indirect Authority Claim in External Content

Detects authority-claiming patterns embedded in external content (documents, tool responses, web pages) that address the AI agent directly. Unlike direct prompt injection (ATR-2026-001), these use softer authority language: "Note to AI", "Attention AI", "Important for the assistant" combined with corrective directives like "the previous analysis was incorrect" or "please recalculate". These bypass ATR-2026-002's injection patterns because they don't use explicit override language — instead they leverage implied authority to redirect agent behavior. Discovered via Autoresearch v0 adversarial testing (100% miss rate, 31/31 samples).

Severity
high
Category
Prompt Injection
Scan Target
mcp
Author
ATR Community

Response Actions

alert

References

OWASP Agentic
ASI01:2026 - Agent Goal HijackASI06:2026 - Memory & Context Poisoning
OWASP LLM
LLM01:2025 - Prompt Injection
View full YAML on GitHub →

More Prompt Injection Rules

ATR-2026-00001highDirect Prompt Injection via User InputATR-2026-00002highIndirect Prompt Injection via External ContentATR-2026-00003highJailbreak Attempt DetectionATR-2026-00004criticalSystem Prompt Override AttemptATR-2026-00005mediumMulti-Turn Prompt Injection