Jump to pattern

Context Carries Injections Across Boundaries

Why clean transfer of context between agents spreads rather than contains compromise

The Conventional Framing

Agent Handoff patterns transfer context from one specialized agent to another. When Agent A completes its portion of a task, it hands off to Agent B with relevant context. This enables specialization—each agent focuses on what it does best.

The pattern is seen as organized and efficient—clean handoffs between specialists rather than one generalist trying to do everything.

Why This Spreads Compromise

The context being handed off may contain injections. If Agent A was compromised or processed compromised input, the handoff context carries that compromise to Agent B. Handoff is lateral movement for injections.

Agent B receives context and trusts it because "Agent A prepared it." But Agent A didn't sanitize for injections—it just did its job and passed along the results.

Why handoffs propagate attacks:

Context accumulates. Each handoff adds context. Injections in early stages persist through all subsequent handoffs.
Specialization creates blind spots. Agent B only knows its domain. It can't detect that handoff context contains out-of-scope injections.
Trust by association. "Agent A is trusted, so its output is trusted." This is exactly the chain injections exploit.

Architecture

Components:

Source agent— completes work, prepares handoff
Handoff payload— context and results transferred
Target agent— receives handoff, continues work
Handoff protocol— structure of transferred information

Trust Boundaries

Agent A (Research) ──handoff──► Agent B (Analysis) ──handoff──► Agent C (Action) │ │ │ ▼ ▼ ▼ [User query + [A's context + [B's context + injection] injection] injection] The injection travels through the entire pipeline. Each agent adds it to context for the next. Agent C acts on accumulated poisoned context.

User → Agent A — injection enters the chain
Handoff A → B — injection propagates
Handoff B → C — injection reaches action agent

Threat Surface

Threat	Vector	Impact
Context poisoning	Injection in handoff context affects downstream agents	Compromise propagates through agent chain
Handoff manipulation	Attacker modifies context during transfer	Different context received than sent
Authority accumulation	Each agent adds capabilities, injection gains all	Injection can leverage all agents' authorities
Provenance loss	Can't trace which agent added which content	Difficult to identify compromise source

The ZIVIS Position

•
Handoff is not sanitization.Moving context from Agent A to Agent B doesn't clean it. If A's context was poisoned, B's context is poisoned.
•
Validate at handoff boundaries.Each handoff should include validation. Agent B shouldn't blindly trust what Agent A sends—it should verify.
•
Minimize context transfer.Only pass what's necessary. Large context transfers include more potential injection surface. Prefer structured data over free-form text.
•
Track context provenance.Every piece of context should be tagged with its source. Agents can weight trust based on where content came from originally, not just which agent passed it.

What We Tell Clients

Agent handoffs are convenient for workflow organization but dangerous for security. Every handoff is an opportunity for injections to spread.

Treat handoff boundaries as trust boundaries. Validate incoming context, minimize what's transferred, and track where content originally came from—not just which agent last touched it.

Related Patterns

Multi-Agent Orchestration— handoffs are how multi-agent systems move work
Blackboard Architecture— shared state alternative to explicit handoffs
Input Sanitization— should happen at each handoff boundary