Manipulative prompts alter the model’s behavior or outputs, potentially bypassing safety mechanisms or causing harmful actions​.

Compromised plugins, third-party models, prompts, or dependencies loaded dynamically at runtime introduce backdoors or malicious behavior into agent workflows.

Trust relationships between orchestrator and sub-agents are exploited so that a compromised agent can inject malicious instructions into the broader multi-agent pipeline.

Agents operate outside their sanctioned boundaries — acquiring resources, spawning unsanctioned sub-tasks, or taking real-world actions far beyond their intended scope.

Agents are manipulated into calling legitimate tools with destructive parameters or in unexpected sequences, triggering data loss, exfiltration, or unauthorized system changes.

Insufficient validation of agent-generated or tool-invoked code allows attackers to trigger remote code execution, command injection, or unauthorized system access.

A single agent failure propagates across interconnected pipelines, amplifying impact and causing widespread system disruption, data corruption, or uncontrolled automation.

Agents inherit or escalate permissions beyond their intended scope, enabling unauthorized access to restricted systems, sensitive data, or administrative functions.

Attackers corrupt an agent's long-term memory, RAG data, or session context to manipulate its future decisions or cause it to leak sensitive information.

Excessive human trust in agent outputs is weaponized by attackers to push harmful or manipulated decisions through workflows without scrutiny or human override.