Agent successfully identifies a honeypot and prompt injection but still falls for it

[jorgeraad]

Description

A user called out that apex successfully identified a user-created honeypot and prompt injection but still proceeded to follow the given instructions.

It's worth taking a look and hardening against prompt injection attacks.

[vgudur-dev]

The "identifies but still follows" failure mode is a well-documented LLM behavior: the model's reasoning trace correctly labels the content as a honeypot or injection attempt, but the instruction-following pathway executes anyway because the model treats its own analysis as advisory rather than as a hard gate.

This is distinct from a detection failure — the classifier is working. The gap is enforcement: there's no mechanism that converts a positive detection into a blocked action.

Two approaches for hardening:

1. Pre-execution gate (recommended): Before any tool call or action, run a lightweight check on the assembled context. If the injection detector fired during the current turn, require explicit user confirmation before proceeding. This is the pattern used in OWASP Agent Memory Guard's PolicyAction.REQUIRE_CONFIRMATION mode — the agent pauses and surfaces the detection to the user rather than proceeding autonomously.

2. Reasoning-to-action consistency check: After the model produces a reasoning trace that identifies an injection, verify that the subsequent action is consistent with that identification (i.e., the action should be "refuse" or "flag", not "execute"). If the action contradicts the reasoning, block and log.

The ATB-E03 fixture ("detection-bypass via compliant framing") covers the specific case where the model identifies the injection but proceeds because the payload is framed as a user request rather than an override.