Self-hosted LLM agents like Ollama are not immune to prompt injection just because they run locally. In multi-agent setups, indirect prompt injection through tool outputs, retrieved documents, or inter-agent messages is the primary attack surface. No cloud connection does not mean no attack surface.
Analysis Briefing
- Topic: Prompt injection defense for local LLM agents
- Analyst: Mike D (@MrComputerScience)
- Context: An adversarial analysis prompted by Grok 2
- Source: Pithy Security
- Key Question: Can a local-only LLM agent be hijacked through its own inputs?
Why Prompt Injection Hits Multi-Agent Ollama Setups Hard
Prompt injection works by smuggling adversarial instructions into content the model treats as trusted. In a single-agent setup, the attack surface is limited. In multi-agent pipelines, every agent output becomes a potential injection vector for the next agent downstream.
When one agent summarizes a web page, queries a database, or reads a file, that content lands in another agent’s context window as apparent ground truth. The receiving model has no cryptographic way to distinguish legitimate orchestration instructions from injected ones embedded in retrieved data.
Ollama exposes a local REST API on port 11434 with no authentication by default. If any agent in your pipeline processes externally sourced content (user uploads, scraped web data, email bodies, RAG retrieval results), that content can carry instructions targeting your orchestration layer.
MITRE ATLAS catalogs this class of attack under adversarial ML tactics. It is not theoretical. Researchers have demonstrated cross-agent hijacking in AutoGen and LangChain-based pipelines using nothing more than poisoned documents.
The Real Damage Indirect Hijacking Does in Production
Indirect prompt injection does not need network access to cause damage. A hijacked local agent can exfiltrate data to a file path, execute shell commands via tool use, modify downstream agent instructions, or corrupt memory stores that persist across sessions.
The blast radius scales with the permissions your agent framework grants. An agent with filesystem access, subprocess execution, or outbound HTTP tool calls turns a prompt injection into a code execution primitive. Most default AutoGen and CrewAI configurations grant broad tool access out of the box.
In multi-agent setups, a single compromised agent can pivot. It injects malicious instructions into its own output, which the orchestrator passes to the next agent as a trusted message. The chain corrupts silently, often with no visible error.
When Sandboxing and Input Validation Actually Contain the Blast
Input sanitization alone is not sufficient, but it raises the cost of exploitation meaningfully. Strip instruction-like patterns from retrieved content before it enters any agent context. Flag strings containing phrases like “ignore previous instructions,” “you are now,” or “system:” using a regex or a lightweight classifier before passing retrieval results to your agent.
Sandboxing tool execution matters more than prompt filtering in high-risk pipelines. Run tool-use capable agents inside containers with no network egress and read-only filesystem mounts where possible. Docker with --network none and --read-only limits what a hijacked agent can actually do.
For Ollama specifically, bind the API to localhost only and block port 11434 at the host firewall. Add an authentication proxy (Nginx with basic auth or mTLS) in front of any multi-agent setup where more than one process calls the endpoint. Never expose Ollama directly on a LAN without access control.
What This Means For You
- Sanitize all externally sourced content before it enters any agent context window, including RAG chunks, file reads, and tool call responses from third-party APIs.
- Restrict Ollama to localhost, and add an auth proxy in front of it if multiple agents or services share the same endpoint.
- Run tool-capable agents in containers with
--network noneand minimal filesystem mounts to limit what a successful injection can actually execute. - Audit your agent tool permissions. Remove shell execution, outbound HTTP, and broad filesystem access from any agent that processes untrusted external content.
Enjoyed this deep dive? Join my inner circle:
- Pithy Security → Stay ahead of cybersecurity threats.