What is OWASP ASI01 Agent Goal Hijack?
Agent goal hijack is when untrusted content changes an agent's objective, task plan, or decision path. Unlike a single bad reply, the whole workflow chases the wrong goal with full privileges.
What this looks like in production
EchoLeak-style cases showed Copilot-style agents exfiltrating data from hidden email content the user never opened. You asked it to read mail; the attacker redefined success.
What teams usually do about it
- Sanitize external content before it influences planning.
- Make goals explicit and auditable across multi-step runs.
- Test indirect injection across tools and memory, not one chat turn.