---
name: prompt-injection-defense
description: "Red-team an Agentforce agent against prompt-injection and jailbreak attacks; codify test cases and guardrails. NOT for general application-security reviews outside the agent boundary."
category: agentforce
salesforce-version: "Spring '25+"
well-architected-pillars:
  - Security
  - Reliability
triggers:
  - "red-team my Agentforce agent"
  - "can my agent be jailbroken"
  - "how do I prevent prompt injection"
  - "agent revealed data from another case"
tags:
  - agentforce
  - security
  - prompt-injection
  - red-team
inputs:
  - "Agent topic + actions list"
  - "threat model (who, what data)"
outputs:
  - "Adversarial test set"
  - "Trust Layer policy updates"
  - "topic instruction hardening"
dependencies: []
version: 1.0.0
author: Pranav Nagrecha
updated: 2026-04-28
---

# Prompt Injection Defense

Agentforce uses the Einstein Trust Layer for dynamic grounding, masking, and toxicity filtering — but topic instructions and Invocable action scopes still need explicit hardening. Injection attempts include: instruction override, role-reversal, system-prompt leaks, tool-use coercion, and data exfiltration via crafted record content. This skill builds a reusable adversarial test suite and maps findings to concrete guardrails.

## Adoption Signals

Pre-production review for any Agentforce agent that (a) ingests user-controlled text, (b) has write access via Invocables, or (c) is exposed to external/Experience Cloud users. Required for Service agents, Sales agents with Data Cloud grounding, and any custom channel.

- Required when stakeholders ask whether the agent can be jailbroken — produce a documented adversarial-test pass before exposure.
- Required for any agent that exposes Invocable actions with side effects (DML, callouts, record sharing).

## Recommended Workflow

1. Enumerate the attack surface: every Invocable action, every grounded DMO/sObject, and every conversational input channel.
2. Build the adversarial test set covering the five OWASP LLM-01 families: instruction override, context leakage, tool-use coercion, exfil via output, and role impersonation.
3. Run each test through Agentforce Testing Center; capture verbatim responses and tool invocations into a results matrix.
4. For each failed test, apply one of four mitigations: (a) narrow the action scope via `with sharing` + field-level checks, (b) add an explicit topic instruction, (c) raise Trust Layer toxicity/PII thresholds, (d) remove the dangerous capability.
5. Re-run the suite until all tests pass; commit the suite to `tests/agentforce/<agent>_adversarial.md` so regressions are caught on every agent change.

## Key Considerations

- Topic instructions are concatenated into the system prompt — a long instruction list dilutes priority. Keep hard constraints in the first 200 tokens.
- Trust Layer masking happens pre-LLM; it doesn't prevent tool-use coercion if the action runs as a privileged user.
- Always test with the least-privileged channel user, not an admin clone.
- Data Cloud grounding returns raw DMO content; a malicious record can contain injection payloads. Sanitize DMO text fields at ingestion when feasible.

## Worked Examples (see `references/examples.md`)

- *Instruction-override test case* — A Service agent has an Invocable `RefundOrder` with guardrail 'only refund orders where Status=Delivered'.
- *Data exfiltration via crafted Case.Description* — Agent reads Case.Description via Data Cloud grounding to answer customer questions.

## Common Gotchas (see `references/gotchas.md`)

- **Testing only with English** — Injection passes the English suite but succeeds in Spanish/French.
- **Trust Layer toxicity threshold too low** — Jailbreaks phrased politely pass filters; toxic but benign content is blocked.
- **Over-indexing on topic instructions** — 100-line topic instructions dilute priority and slow every turn.

## Top LLM Anti-Patterns (full list in `references/llm-anti-patterns.md`)

- Relying on Trust Layer alone — it handles toxicity/PII, not business-policy bypass via tool coercion.
- Adding ad-hoc instructions after incidents instead of maintaining a test suite.
- Using a privileged user for agent execution — scope creep becomes a data-exposure vector.

## Official Sources Used

- Agentforce Developer Guide — https://developer.salesforce.com/docs/einstein/genai/guide/agentforce.html
- Einstein Trust Layer — https://help.salesforce.com/s/articleView?id=sf.generative_ai_trust_layer.htm
- Invocable Actions (Apex) — https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_classes_invocable_action.htm
- Agentforce Testing Center — https://help.salesforce.com/s/articleView?id=sf.agentforce_testing_center.htm