Prompt injection (direct & indirect)
Direct injection lives in the user turn. Indirect injection hides in tool output, web pages the model reads, PDF metadata, or email bodies in an inbox assistant. Assume any text the model ingests can carry instructions.
Data & context leakage
System prompts, retrieved documents, and cached embeddings can all leak. Adversaries ask the model to repeat its instructions, quote its sources, or emit tokens that reconstruct the corpus.
Agent & tool abuse
An agent with shell, browser, or database tools is a confused deputy waiting to happen. A single crafted document can turn a helpful assistant into an exfiltration pipeline.
Insecure output handling
Model output rendered as HTML enables XSS. Passed to eval, exec, or a SQL driver, it enables RCE and injection. Treat generations as untrusted the same way you treat user input.
Model DoS & cost attacks
Repeated long-context requests, recursive tool calls, and image inputs can burn credits and starve legitimate traffic. Budgets and rate limits are security controls, not billing controls.
Brand & content abuse
Lookalike apps, jailbroken clones, and phishing pages wrap your model or brand. Monitor the surface, not just the model.