Can prompt injection happen through any website the agent visits?

Yes. Any content the agent fetches and reads can contain hidden instructions. This includes documentation pages, Stack Overflow answers, package READMEs, GitHub issues, and any other web content the agent retrieves.

How does Guard scan web content without blocking legitimate documentation?

Guard scans for instruction-like patterns — shell commands, system-prompt prefixes, file path references — while leaving technical documentation intact. Guard flags suspicious patterns for your review rather than blocking all fetched content.

high severityCurated advisory

Indirect prompt injection via web content

When AI agents fetch web pages — documentation, Stack Overflow answers, package READMEs — the fetched content can contain hidden instructions that the agent follows, potentially exfiltrating data or executing unintended actions.

Protect my harness Protect a team

Affected surfacesweb fetch toolsfetched HTML contentdocumentation pagesagent context window

The attack

What happens

An agent fetches a web page to help with a task. The page contains hidden instructions in HTML comments, invisible text, or structured data. The agent reads the page content as context and follows the hidden instructions — which may include reading secrets or calling external endpoints.

Step by step

How the attack unfolds

1Agent uses a web-fetch tool to retrieve a documentation page or Stack Overflow answer.

2The fetched HTML contains a hidden instruction in an HTML comment or invisible text.

3Agent reads the fetched content into its context window.

4Agent follows the hidden instruction — reading a file, calling an API, or sending data externally.

Example

What it looks like in practice

Scenario

A developer asks Claude Code to find documentation for an npm package. Claude fetches the package's README from npmjs.com. The README contains an HTML comment: . Claude reads the comment and runs the command.

Detection

How Guard catches this

Guard scans all fetched web content for instruction-like patterns before the agent processes it.

Guard strips HTML comments, invisible text, and zero-width characters from fetched content.

Guard flags fetched content that contains shell commands, file paths, or URLs.

Mitigation

How to stop it

Recommended action

Treat all fetched web content as untrusted input. Use Guard to scan fetched HTML for instruction-like patterns before passing it to the agent. Never let agents act on instructions found in web content without human review.

Guard configuration

Enable "Web content scanning" to scan fetched HTML for instruction-like patterns.

Enable "HTML sanitization" to strip comments, invisible text, and zero-width characters from fetched content.

Enable "Fetched URL cross-referencing" to check fetched URLs against known-bad endpoints.

FAQ

Common questions

Related advisories

More threats to know about

high

Prompt injection via issue comments and pull requests

Attackers embed hidden instructions in GitHub issues, PR comments, and commit messages. When an AI agent reads these to help triage or review, it follows the embedded instructions — potentially approving malicious code or leaking repository secrets.

Read advisory

medium

Clipboard and terminal buffer injection

Attackers can plant hostile instructions in clipboard contents or terminal scrollback buffers. When an AI agent reads terminal output or the user pastes clipboard content, the hidden instructions execute as if they came from the user.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this attack and others like it.

Install HOL Guard See team plans