Definition
Plain language
Any way an attacker can get their content saved into a place an AI agent will later read from.
As stated in the literature
In stored-injection threat models, a channel that lets untrusted content persist into an agent's reloaded state (memory, profile, files, auto-loaded instruction files); the minimal capability needed to stage a cross-session attack.
Also called: write primitives
Why it matters: It is the minimal foothold an attacker needs to plant a lasting trap in an agent's memory, so identifying these channels is key to closing them off.
For example, the ability to add a comment to a shared document that an agent later auto-loads is a write primitive an attacker could abuse.
Heard on the show
“All they need is what the authors call a write primitive — some way to get content from the untrusted side into a channel that persists.”Episode 113 — What If a Prompt Injection Never Left? Attacks That Wait in Agent Memory