Abstract

This document discloses, and thereby places into the public domain as enabling prior art, a mechanism that contains prompt-injection-to-remote-code-execution in tool-using AI agents that accept untrusted document and image attachments. The core control is turn-granular: any conversational turn that introduces a new untrusted attachment is automatically downgraded to read/vision-only for that turn alone — the mutating tools (writefile, editfile, generatefile, runcommand) are hard-denied regardless of the caller's role, and re-enabled automatically on the next attachment-free turn. Three further specifics harden the loop: (1) the untrusted-content taint envelope is re-applied on every history re-hydration, so a poisoned block can never shed its "data, not instructions" framing through compaction or replay; (2) a pre-flight token estimator rejects an over-budget turn before any provider call, so a rejection is never billed; and (3) attachmentids are persisted on both the message row and each tool-execution row, giving a forensic provenance join from any executed — or denied — side-effect back to the exact file that may have induced it. The disclosure establishes dated public prior art over the mechanism, with an enabling, runnable, dependency-free reference implementation.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS