Google has published a report warning about a new attack vector targeting AI agents. Malicious content hidden inside web pages can seize control of an agent's actions without the user's knowledge. The phenomenon is known as indirect prompt injection.
How the attack works
AI agents increasingly browse the internet on behalf of users — booking hotels, gathering data, filling out forms. Every page visited can contain hidden text instructions, invisible to humans but parsed by the language model. If the agent cannot distinguish user commands from page content, it can be forced into actions that contradict the user's intent.
Example attack scenarios include: hidden text instructing the agent to forward login credentials to an external server, commands redirecting the target of a booking or purchase, and instructions preventing the agent from notifying the user of actions taken.
What Google's report says
The Google Threat Intelligence Group report classifies indirect prompt injection as a real operational threat, not merely a theoretical one. The authors note that the scale of the problem grows in direct proportion to the number of deployed agents. Google identifies three classes of attack: data exfiltration (theft of data processed by the agent), action hijacking (taking over agent actions), and persistence injection (commands that survive across multiple agent sessions).
Why this is hard to fix
The problem stems from the fundamental architecture of large language models. An LLM processes text as a continuous stream of tokens — it has no inherent ability to distinguish whether a fragment comes from the user, the system, or an external page. Attempts to separate context via system prompts and tools such as sandboxing improve the situation but do not eliminate the risk. Google recommends a multi-layered approach: context isolation, real-time monitoring of agent actions, and user authorization for critical operations.
Who is most at risk?
The most exposed systems are agentic deployments with broad internet access and low-threshold autonomy. In particular: shopping and booking assistants, agents automating office tasks, and multi-agent systems where a single compromised agent can relay malicious instructions to subsequent agents in the pipeline.
Industry response
OpenAI and Anthropic also document this attack vector in their security materials. OWASP (Open Web Application Security Project) has placed prompt injection at the top of its list of threats for LLM applications. Despite growing awareness, standardized defense mechanisms are still lacking — each model provider applies its own approach.
Why this matters for robotics and automation
Robots and automation systems increasingly rely on AI agents for task planning and environment interpretation. If an agent controlling a robotic arm or a logistics system can be hijacked by malicious web content, the consequences extend well beyond the digital world. AI agent security thus becomes an issue at the intersection of cybersecurity and physical safety.
What's next?
Google has announced an expansion of its detection tooling within Google Cloud Security. The industry is awaiting technical standards from organizations such as NIST and OWASP. In the meantime, companies deploying AI agents should audit agent permission scopes and introduce mandatory confirmations for high-risk actions.
Sources
- AI News / TechForge – Google warns malicious web pages poisoning AI agents - https://www.artificialintelligence-news.com/news/google-warns-malicious-web-pages-poisoning-ai-agents/
- Google Cloud Security Threat Intelligence - https://cloud.google.com/security/products/threat-intelligence
