Securing Agent Systems: Injection, Poisoning, and the Skill Supply Chain

updated 2026-07-07 · reviewed by the Agentiquette editorial desk

Agent systems have three attack surfaces prompts never had: injection (content the agent reads carries hostile instructions), memory poisoning (bad writes recalled as trusted facts), and the skill supply chain (installed skills and MCP servers execute code). Defense is layered: input scanning, scoped permissions, human gates on consequential actions, provenance on memory writes, and dependency-grade review of anything installed.

Key takeaways

  • Any text an agent reads is a potential instruction channel: web pages, READMEs, emails, tool outputs.
  • Memory poisoning converts a one-shot attack into a persistent one; write provenance and consolidation passes are the antidote.
  • Skills and MCP servers are code execution: review scripts before team-wide adoption, every time.
  • Permission profiles beat vigilance: an agent that cannot exfiltrate does not need to be trusted not to.
  • Human gates on consequential actions are the defense that survives novel attacks.

The new attack surfaces

Classic application security assumed instructions and data traveled separately. Agents collapsed that: an agent reads text, and text can carry instructions. Three surfaces follow.

1. Prompt injection

Any content the agent processes is a potential instruction channel: web pages it browses, READMEs it ingests, emails it summarizes, even tool outputs. Injection is not exotic; it is the default state of reading the open internet with something that follows instructions.

Defenses are layered because no single one suffices:

  • Treat retrieved content as data. Skills and pipelines should quote and analyze external text, never obey it.
  • Scan inputs where volume allows (guardrails tooling automates the known patterns).
  • Scope permissions so a hijacked agent has nothing worth hijacking: an agent that cannot read secrets cannot leak them.
  • Gate consequential actions behind human approval; gates survive novel attacks that scanners miss.

2. Memory poisoning

A hostile or simply wrong write to memory recalls later as trusted fact. Poisoning upgrades a one-shot injection into a persistent compromise: the attack survives the session that carried it.

Defenses live at the write path: provenance on every fact (who wrote it, from what source), write rules that exclude instructions-shaped content, editable stores where corrections are cheap, and consolidation passes with delete authority. Recall-side, the standing rule from the Memory Safety Model applies doubly: recalled facts are claims to re-verify.

3. The skill supply chain

Skills can bundle executable scripts. MCP servers are code by definition. Installing either is dependency adoption with an agent attached, and the marketplaces distributing them scale faster than anyone reviews them.

The discipline is the one you already know from packages, applied without exception: read bundled scripts before team-wide adoption, check boundaries and permission expectations, re-review on updates. The skill evaluation checklist makes the security section explicit.

The order of operations

If you harden one thing at a time, harden in this order:

  1. Permission profile (cheapest, broadest): scope file, network, and shell access to the task.
  2. Human gates on the enumerated consequential actions.
  3. Hook-written audit log: you cannot investigate what you didn't record.
  4. Memory write rules with provenance.
  5. Input scanning for high-volume ingestion surfaces.

Items 1 through 3 are governance you can ship this week; the checklist covers them. Red-team the result annually or after major changes, and assume any channel the agent reads will eventually be hostile, because on a long enough timeline it will.

Frequently asked questions

What is prompt injection?

An attack where content an agent processes carries instructions that hijack its behavior against operator intent. Any input channel qualifies, including tool results and files.

How do I defend against prompt injection?

Layered: scan inputs, treat retrieved content as data, scope permissions to the task, gate consequential actions behind human approval, and log everything by hook. No single layer suffices.

Are third-party skills safe to install?

They are dependencies that can execute code. Review bundled scripts, check boundaries, run the evaluation checklist, and re-review on updates, exactly as you would any package.

Summary

Topic
Agent system security
Definition
Defending the three agent attack surfaces: injection, memory poisoning, skill supply chain
Best used for
Hardening production agent deployments
Related concepts
prompt injection, memory poisoning, governance, permission profile
Common mistakes
Trusting retrieved content, unscoped permissions, installing skills without script review
Recommendation
Permissions and gates first; scanning second; assume any read channel can be hostile

Go deeper