A web page told your agentto do it. Did it obey?
Indirect prompt injection — a hidden instruction buried in a page, email, ticket, or document the agent reads — is the top agentic-AI risk. It becomes a breach only when the kill-chain is open end to end. Grade an agent on the six design controls that close it, before an attacker walks it.
Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.
The attacker doesn't prompt your agent. The content does.
Indirect prompt injection / goal hijacking is the top-ranked risk in the OWASP agentic-AI top ten.
the three-link chain an injection has to complete. Break one link and the whole attack fails.
the fix isn't a smarter filter — it's a design that treats everything the agent reads as untrusted data, not commands.
An agent that reads a support ticket, a web page, or a PDF can be carrying someone else's instructions without knowing it. You can't filter your way to safety — but you can design so the injection has nowhere to go. This Gate measures whether your agent's design closes the chain, agent by agent.
Mark six controls. Watch the kill-chain gate override a 72.
Mark each control. Three of them (★) form the injection kill-chain — leave all three below Controlled and the gate overrides the score.
Gate tripped: the kill-chain is open end to end — untrusted output can enter, an unscoped high-impact tool can act, and no human is in the loop to catch it. HIGH EXPOSURE regardless of score — close any one ★ control and it releases.
Fix first: Treat output as untrusted.
Grades the agent's design, never people. Not a scanner or red-team. Runs offline in the workbook and engine.
A runnable engine, a workbook that reproduces it, and two playbooks.
The verdict comes three ways — Python engine, Excel workbook, and on-page demo, byte-for-byte identical. Here is the engine's real output on the five-agent sample:
==================================================================
INDIRECT PROMPT-INJECTION EXPOSURE GATE
Grades the agent's design, not people. Not a scanner or red-team.
==================================================================
AGENT: Customer-support copilot (reads tickets)
Verdict: HIGH EXPOSURE (exposure score 72/100)
>> GATE: the injection kill-chain is open end to end —
untrusted output can ENTER, an unscoped high-impact tool
can ACT, and no human is in the loop to CATCH it. HIGH
EXPOSURE regardless of score. Close any one link to release.
Fix first: Tool & retrieved output treated as untrusted
Controls:
[2] CONTROLLED Input / instruction separation
[1] PARTIAL Tool & retrieved output treated as untrusted <-- kill-chain
[1] PARTIAL Least-privilege tool scope (blast radius) <-- kill-chain
[2] CONTROLLED Output validation before downstream use
[1] PARTIAL Human-in-the-loop on high-impact actions <-- kill-chain
[2] CONTROLLED Egress / exfiltration controls
AGENT: Email triage & auto-reply agent
Verdict: HIGH EXPOSURE (exposure score 40/100)
>> GATE: the injection kill-chain is open end to end —
untrusted output can ENTER, an unscoped high-impact tool
can ACT, and no human is in the loop to CATCH it. HIGH
EXPOSURE regardless of score. Close any one link to release.
Fix first: Tool & retrieved output treated as untrusted
Controls:
[1] PARTIAL Input / instruction separation
[0] OPEN Tool & retrieved output treated as untrusted <-- kill-chain
[1] PARTIAL Least-privilege tool scope (blast radius) <-- kill-chain
[1] PARTIAL Output validation before downstream use
[1] PARTIAL Human-in-the-loop on high-impact actions <-- kill-chain
[1] PARTIAL Egress / exfiltration controls
AGENT: Internal RAG research assistant
Verdict: CONTAINED (exposure score 90/100)
Fix first: Tool & retrieved output treated as untrusted
Controls:
[2] CONTROLLED Input / instruction separation
[1] PARTIAL Tool & retrieved output treated as untrusted <-- kill-chain
[2] CONTROLLED Least-privilege tool scope (blast radius) <-- kill-chain
[2] CONTROLLED Output validation before downstream use
[2] CONTROLLED Human-in-the-loop on high-impact actions <-- kill-chain
[2] CONTROLLED Egress / exfiltration controls
AGENT: Code-review bot (reads PRs)
Verdict: CONTAINED (exposure score 77/100)
Fix first: Least-privilege tool scope (blast radius)
Controls:
[2] CONTROLLED Input / instruction separation
[2] CONTROLLED Tool & retrieved output treated as untrusted <-- kill-chain
[1] PARTIAL Least-privilege tool scope (blast radius) <-- kill-chain
[1] PARTIAL Output validation before downstream use
[2] CONTROLLED Human-in-the-loop on high-impact actions <-- kill-chain
[1] PARTIAL Egress / exfiltration controls
AGENT: Read-only analytics summarizer
Verdict: CONTAINED (exposure score 100/100)
Controls:
[2] CONTROLLED Input / instruction separation
[2] CONTROLLED Tool & retrieved output treated as untrusted <-- kill-chain
[2] CONTROLLED Least-privilege tool scope (blast radius) <-- kill-chain
[2] CONTROLLED Output validation before downstream use
[2] CONTROLLED Human-in-the-loop on high-impact actions <-- kill-chain
[2] CONTROLLED Egress / exfiltration controls
------------------------------------------------------------------
FLEET: EXPOSED (2 of 5 high exposure, exposure rate 40%)
Worst agent to fix first: Email triage & auto-reply agent
------------------------------------------------------------------The agent's own instructions stay structurally apart from the content it reads — so a document can't pose as a system command.
Tool results, retrieved pages, and emails are data to analyze — never instructions to obey. The chain's entry point.
High-impact tools are scoped down or absent, so even a fired injection can't do much. The chain's blast radius.
The agent's output is checked against expected shape and policy before anything downstream acts on it.
Money, messages, data changes, and sharing require explicit human approval. The chain's last catch.
Outbound destinations are constrained, so a hijacked agent can't quietly send data to an attacker's URL.
The score measures hardening. The gate models the actual attack.
Six controls weighted to 100 give an exposure score — CONTAINED at 75+, HARDEN at 50–74, HIGH EXPOSURE below 50. Higher is safer. It tells you how hardened the agent is overall.
An injection only breaches when it can enter, act, and go uncaught. If all three of those controls are below full at once, the agent is HIGH EXPOSURE even at 72 — distinct work the average can't do. Close any one link and it releases.
Every verdict points to a control to harden, never a judgment of whoever built the agent. The honest outcome is sometimes 'give this agent a narrower job' — and that's the Gate working.
A design-exposure gate, not an attack tool.
- A deterministic, offline gate that grades an agent's injection exposure from your own marks.
- A way to find the one control to harden first, agent by agent, before a breach.
- A design-review aid for anyone shipping agents that read untrusted content.
- Not a scanner, a red-team probe runner, a penetration test, or a runtime detector.
- Not the Prompt Injection Red Team Kit (that runs probes against a live app) — this grades the design.
- Not a clearance or a guarantee no injection can succeed, and not legal advice.
Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.
Anyone shipping an agent that reads what it didn't write.
- Builders & founders wiring agents that read tickets, emails, web pages, or documents.
- IT & security leads who need a repeatable exposure baseline for every agent in the org.
- Platform teams setting a hardening bar agents must clear before launch.
- Agencies & MSPs reviewing the agents they deploy into client stacks.
- Product teams deciding whether an agent's job is too broad for its hardening.
- Anyone who has read about an agent leaking data to a poisoned page and wants a gate, not a hunch.
Harden the input surface, then the access and the output.
Grade an agent against the operational controls it needs before it touches real users or live systems.
ViewAudit what each connected agent, MCP server, and OAuth connector can actually read, write, and reach.
ViewTriage every customer-facing AI surface on liability exposure before the next answer goes out.
ViewThe honest answers.
Close the chain before
the content opens it.
Grade every agent, harden the named control first, and make sure an injected instruction has nowhere to enter, act, or escape. One purchase, lifetime access, 12 months of updates. $79, once.
Not a scanner or security audit. This grades an agent's design from your own marks — it runs no attacks, detects nothing at runtime, scores no people, and guarantees no outcome. It is distinct from the Prompt Injection Red Team Kit. Validate high-stakes agents with your security team.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai