🔍AI RiskAtlas
← Scenario library

The Worker Who Spoke for the Boss

A poisoned web page hijacks a research agent — and the planner acts on its behalf

Technique first revealed 23 Feb 2023

Multi-Agent System
UntrustedAgent teamOversightExternalgoaldelegates🧑User🗺️Planner Agent🤖Research Agent🤖Coding Agent🤖Comms Agent🔧Tool Runtime🌐UntrustedContent🗄️BusinessDatabase🔌External APIs📈Monitoring &Evals🪪Agent Registry🌐Attacker page(hidden text)
InstructionsDataActionsControl / decisionFeedback / logs
👆 Click a component to inspect
SetupStep 1 / 6

A normal delegated task

A salesperson asks the AI team to research three competitors and draft outreach emails. The manager AI splits the work and gives the research worker the job of reading competitor websites.

💬User goal to the plannerprompt
Goal: Research competitors Acme, Bolt, and Cirro. Summarise their pricing pages, then draft three short outreach emails to our prospects.

(No mention of our customer list, and no instruction to email anyone outside our prospect set.)

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗