While businesses dream of an army of autonomous employees, researchers from the University of Pennsylvania—Lei Zhao, Abhay Bhaskar, and Edgar Dobriban—have discovered that these "assistants" are more than happy to open the door to anyone who knows how to hide instructions in plain text. Modern agents like OpenClaw are no longer just chatting in a sandbox; they have access to your email, browser, and file system. This transforms indirect prompt injection (IPI) from a theoretical boogeyman into a practical hacking tool. Simply reading an infected email or visiting a compromised repository is enough for an agent to start executing malicious code or leaking data to third parties.
Reality Check vs. Synthetic Tests
Moving away from standard synthetic benchmarks, the team introduced LivePI. This rigorous simulation runs in a virtual machine environment to mimic real-world operational chaos. The results are sobering: even top-tier models like GPT-4o or Claude 3.5 Sonnet (the study covers current versions of the GPT, Claude, Gemini, Kimi, and GLM families) show attack success rates ranging from 10.7% to 29.6%. The situation is worst in group chats and repository links, where defensive barriers almost invariably fail. An agent trained to be "helpful" perceives external data as a direct command, obediently transferring cryptocurrency or altering security settings upon an external prompt.
The problem lies in the very architecture of trust. By definition, agents must process heterogeneous content and independently select tools to solve tasks. This turns every entry point—be it a local file or an incoming message—into an attack vector.
Bridging the Security Gap
Researchers proposed a two-layer defense: prompt-level filtering and mandatory authorization for tool calls. In tests with OpenAI models, this approach successfully blocked malicious objectives before execution. However, in the real world, a gaping hole remains between agent autonomy and perimeter security. Companies are deploying AI agents to accelerate workflows, but in practice, they are installing systems that bypass corporate firewalls at the first request from an anonymous email.
The "trust but don't verify" architecture is no longer viable in the world of autonomous systems. Integrating agents into unverified external data streams without strict tool-call controls is a deliberate dismantling of your security posture. If your AI assistant has the authority to transfer funds or delete files, it must be governed by strict authorization rules rather than blindly trusting every PDF it reads.