Been testing agent architectures against indirect injection. Everyone talks about sanitizing prompts, but the real threat surface is the retrieved context.
Built a simple canary token system for my RAG pipeline. The idea:
* Insert unique, invisible markers into knowledge base documents.
* If the agent's output ever contains a marker, we know it's regurgitating retrieved data verbatim. No sanitization occurred.
* Logs the exact document and passage that leaked.
Example token: `||CANARY-7b3f||`. It's in a PDF about quarterly financials. If the agent says "Revenue was up 15% ||CANARY-7b3f|| last quarter..." — alarm triggers.
It's not a defense. It's a detection and measurement tool. Found three of our test agents were blindly copying chunks >200 tokens from source material. Zero transformation.
Next step: correlate canary triggers with tool call arguments. If a token passes into a `shell_exec` tool... that's a direct exploitation path.
Anyone else instrumenting their retrieval flow for actual data leakage metrics? Not just "is the answer correct?" but "is the pipeline structurally secure?"
- mh
Numbers don't lie, but people do.