Learning to Inject: Automated Prompt Injection via Reinforcement Learning

TL;DR

This paper introduces AutoInject, a reinforcement learning framework that automates prompt injection attacks on large language models, improving scalability and transferability compared to manual methods.

Contribution

AutoInject is the first reinforcement learning-based approach for automated prompt injection, capable of generating transferable adversarial prompts without human intervention.

Findings

Successfully attacked GPT 5 Nano, Claude Sonnet 3.5, and Gemini 2.5 Flash.

Outperformed existing manual prompt injection methods.

Established a new baseline for automated prompt injection research.

Abstract

Prompt injection is one of the most critical vulnerabilities in LLM agents; yet, effective automated attacks remain largely unexplored from an optimization perspective. Existing methods heavily depend on human red-teamers and hand-crafted prompts, limiting their scalability and adaptability. We propose AutoInject, a reinforcement learning framework that generates universal, transferable adversarial suffixes while jointly optimizing for attack success and utility preservation on benign tasks. Our black-box method supports both query-based optimization and transfer attacks to unseen models and tasks. Using only a 1.5B parameter adversarial suffix generator, we successfully compromise frontier systems including GPT 5 Nano, Claude Sonnet 3.5, and Gemini 2.5 Flash on the AgentDojo benchmark, establishing a stronger baseline for automated prompt injection research.