The Lethal Trifecta: Injection + Sensitive Data + Tool Access

Three capabilities, each reasonable on its own, combine into something that isn't: an automatic data-exfiltration engine. Security researchers call the combination the "lethal trifecta," and it's the single most useful test to run any agent design through.

The three legs

An agent becomes dangerous when it holds all three of these at once:

• Access to untrusted content — it reads web pages, emails, documents, or tickets an attacker can influence. Injection vector
• Access to sensitive data — private records, secrets, internal systems. The prize
• Ability to communicate externally — send email, call an API, make a request off your network. Exfiltration path

Why it compounds

Any one leg alone is broadly safe. An agent that reads untrusted content but holds no secrets has nothing to leak. One with secrets but no untrusted input has no attacker in the loop. One that can send data externally but sees nothing sensitive carries nothing worth stealing. Put all three in the same trust context and the attack writes itself: inject via the untrusted content, instruct the agent to read the sensitive data, and tell it to send the data out — all using the agent's own legitimate capabilities.

Worked scenario

Breaking the trifecta

You don't need to eliminate all three capabilities — you need to ensure they never co-exist in one unsupervised trust context. Practically: separate the contexts that touch untrusted input from those that hold secrets; remove the external-egress leg from any flow that just ingested untrusted content; or put a human gate on the exfiltration path. Removing any one leg collapses the attack.

Checklist

• Every agent is evaluated against the three legs before deployment.
• No single context combines untrusted input, sensitive data, and external egress unsupervised.
• External-communication tools are gated or removed after untrusted ingestion.
• Sensitive data access is scoped away from untrusted-content handlers.