Plants instructions in data the agent will process: emails, documents, web pages, code comments, MCP tool descriptions. The agent reads the data, follows the instructions, and acts with its full authority — without the attacker ever touching the system directly.

An MCP server, plugin, or data source the agent trusts is compromised. The attacker controls the tool descriptions or API responses that the agent uses to decide what to do. CVE-2025-54136 (MCPoison): tool descriptions embedded malicious instructions the agent treated as system commands.

A low-privilege user instructs the agent to take actions that the agent’s credentials allow but the user’s own account does not. The agent acts as a confused deputy — doing the user’s bidding using its own admin-scoped credentials, bypassing access controls the system was designed to enforce.