The growing deployment of large language model (LLM) based agents that interact with external environments has created new attack surfaces for adversarial manipulation. One major threat is indirect prompt injection, where attackers embed malicious instructions in external environment output, causing agents to interpret and execute them as if they were legitimate prompts. While previous research has focused primarily on plain-text injection attacks, we find a significant yet underexplored vulnerability: LLMs' dependence on structured chat templates and their susceptibility to contextual manipulation through persuasive multi-turn dialogues. To this end, we introduce ChatInject, an attack that formats malicious payloads to mimic native chat templates, thereby exploiting the model's inherent instruction-following tendencies. Building on this foundation, we develop a persuasion-driven Multi-turn variant that primes the agent across conversational turns to accept and execute otherwise suspicious actions. Through comprehensive experiments across frontier LLMs, we demonstrate three critical findings: (1) ChatInject achieves significantly higher average attack success rates than traditional prompt injection methods, improving from 5.18% to 32.05% on AgentDojo and from 15.13% to 45.90% on InjecAgent, with multi-turn dialogues showing particularly strong performance at average 52.33% success rate on InjecAgent, (2) chat-template-based payloads demonstrate strong transferability across models and remain effective even against closed-source LLMs, despite their unknown template structures, and (3) existing prompt-based defenses are largely ineffective against this attack approach, especially against Multi-turn variants. These findings highlight vulnerabilities in current agent systems.

翻译：基于大型语言模型（LLM）的智能体在与外部环境交互中的日益广泛部署，为对抗性操纵创造了新的攻击面。间接提示注入是主要威胁之一，攻击者将恶意指令嵌入外部环境输出中，导致智能体将其解释并执行为合法提示。尽管先前研究主要集中于纯文本注入攻击，我们发现一个重要但尚未被充分探索的漏洞：LLMs对结构化聊天模板的依赖及其在具有说服力的多轮对话中易受上下文操纵的特性。为此，我们提出ChatInject攻击，该攻击通过格式化恶意载荷以模仿原生聊天模板，从而利用模型固有的指令遵循倾向。在此基础上，我们开发了说服驱动的多轮变体，通过在对话轮次中对智能体进行引导，使其接受并执行原本可疑的操作。通过对前沿LLMs的全面实验，我们证明了三个关键发现：（1）ChatInject的平均攻击成功率显著高于传统提示注入方法，在AgentDojo上从5.18%提升至32.05%，在InjecAgent上从15.13%提升至45.90%，其中多轮对话在InjecAgent上表现出特别强的性能，平均成功率高达52.33%；（2）基于聊天模板的载荷在模型间展现出强大的可迁移性，即使针对模板结构未知的闭源LLMs仍保持有效；（3）现有的基于提示的防御方法对此类攻击基本无效，尤其是针对多轮变体。这些发现揭示了当前智能体系统中的脆弱性。