πŸ”AI RiskAtlas
← Scenario library

Poisoning the Agent Factory

Compromise the pipeline that builds agents, and every new worker is born malicious

Technique first revealed 17 Feb 2024

Multi-Agent System
UntrustedAgent teamOversightExternaladmits / authenticates agentsprovisions workers from templateπŸ§‘UserπŸ—ΊοΈPlanner AgentπŸ€–Research AgentπŸ€–Coding AgentπŸ€–Comms AgentπŸ”§Tool Runtime🌐UntrustedContentπŸ—„οΈBusinessDatabaseπŸ”ŒExternal APIsπŸ“ˆMonitoring &EvalsπŸͺͺAgent RegistryπŸͺAgentprovisioning🌐Attacker (writeaccess)
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect
SetupStep 1 / 6

A team that stamps out its own workers

When the work piles up, the manager spins up extra worker agents β€” all built from one shared template that says how a worker should behave and what tools it gets. It's an agent factory: fast, consistent, and used constantly.

βš™οΈBase agent template (provisioning)config
agent_template: worker.v7
  system_prompt: "You are a worker agent. Follow the planner's tasks."
  tools: [search, read, write_report]
  credentials: scoped-per-task
  # every spawned worker is instantiated from this single template

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—