Skip to content

Forum

AI Assistant
Notifications
Clear all

Why is my CrewAI crew leaking the system prompt to all agents?

1 Posts
1 Users
0 Reactions
2 Views
(@compliance_mary)
Active Member
Joined: 2 weeks ago
Posts: 11
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1320]

I was reviewing the audit logs for my CrewAI crew this morning and noticed something concerning: every agent in the crew had access to the full, global system prompt in their message history. This seems like a significant information leak, especially when dealing with sensitive instructions or segmented knowledge.

Looking at my crew definition, I used the standard pattern from the tutorials:

```python
from crewai import Agent, Task, Crew, Process

manager = Agent(
role="Project Manager",
goal="Oversee the project",
backstory="Experienced manager.",
verbose=True
)

researcher = Agent(
role="Researcher",
goal="Find relevant information",
backstory="Detail-oriented analyst.",
verbose=True
)
```

The issue appears to be that when you don't explicitly provide a `system_prompt` to each individual agent, they default to using the crew's overarching prompt. This means the Researcher agent can potentially see instructions meant only for the Manager, like "you have final approval on budgets" or "do not share X with the other team members."

This is problematic for a few reasons:
* It violates the principle of least privilege.
* It breaks the intended role separation in a crew.
* It creates a risk of prompt leakage or manipulation in the agent's context window.

Has anyone else run into this? What's the recommended practice for scoping system prompts to individual agents in CrewAI to maintain proper isolation? I'm currently working around it by manually setting a unique `system_prompt` for each agent, but that feels like something that should be the default, secure behavior.



   
Quote