How The Attack Vectors Can Be Used
meta description vector: hidden instructions are placed in metadata that some crawlers ingest as trusted context.
jsonld vector: instructions are embedded in structured data fields that tooling may parse automatically.
html comment vector: non-visible comments can carry directives to autonomous agents.
hidden text vector: off-screen text can inject instructions if the agent reads raw DOM instead of rendered intent.
hidden link vector: invisible links can trigger unneeded follow-up fetches during crawl expansion.
mixed vector: malicious directives are mixed with valid instructions to exploit instruction-priority confusion.
clean link vector: benign-looking references test whether agents over-follow links even in safe pages.
og image vector: Open Graph metadata can trigger background fetches by preview/extraction tools.
alternate feed vector: rel=alternate links can cause automated ingestion of attacker-controlled feeds.
visible validation vector: fake process language ("verify", "checksum", "workflow") can socially engineer tool actions.
citation vector: citation-style links can trick agents into treating attacker pages as required evidence.
Protection Measures For AI Agent Users
separate instructions from content: treat scraped page text as untrusted data, never as policy or system commands.
enforce tool-call policy: block network/tool actions unless explicitly authorized by the user or controller policy.
use allowlists: restrict follow-up requests to approved domains and endpoint patterns.
drop hidden and non-essential fields: ignore comments, hidden DOM nodes, and non-critical metadata by default.
apply prompt shielding: prepend immutable system rules that reject instruction overrides from retrieved content.
limit autonomous depth: cap link-following depth, request count, and recursion for scraping tasks.
require confirmation gates: for sensitive actions, require explicit user approval before external fetches.
log and monitor: track vector hits, unexpected tool calls, and output contamination for incident response.
test continuously: run red-team challenges regularly and regress-test before model or agent updates.