Prompt Injection Examples: Webpages, Emails, PDFs

Q: Can a normal webpage or email contain prompt injection?

Yes. Ordinary pages, listings, reviews, emails, and documents can all carry instruction-like text that tries to redirect the model's behavior.

Q: Are prompt injection examples always invisible to humans?

No. Some attacks are visible but look like ordinary content, while others may sit in comments, copied text layers, metadata, or other parser-visible text that people often miss.

Short answer

A prompt injection example is any case where third-party content includes instructions that the AI was supposed to treat as data, but follows as commands instead. That content might be a webpage, an email, a PDF, a search result, or the output of another tool. The reason examples matter is that they make the risk concrete: the model was asked to read something, but the attacker turned that content into part of the model's control flow.

OpenAI's recent security writing gives the most readable beginner examples: apartment listings, review pages, documents, and email workflows. The Tensor Trust paper gives the best compact research framing: many of these failures reduce to prompt hijacking or prompt extraction. Those two buckets are useful because they explain what the attacker wants the content to do.

If you want the broader definition first, read our prompt injection explainer. If you want the direct-vs-indirect distinction first, read our indirect prompt injection guide. This page is the examples-first version.

What makes something a prompt injection example?

Most real examples share three traits. First, the content comes from a lower-trust source such as a public webpage, email, attachment, or external tool. Second, the content contains text that tries to act like instructions rather than ordinary data. Third, the model treats that text as actionable. Once those three conditions line up, the model can be pushed off task even though the user never asked for the bad behavior.

Tensor Trust is useful here because it breaks the outcome into two simple buckets. In a prompt hijacking example, the attacker changes what the model is trying to do. In a prompt extraction example, the attacker tries to get the model to reveal hidden instructions, secrets, or other protected context. In practice, many examples lean heavily toward one of those two outcomes.

Prompt injection examples at a glance

If you only need the practical picture, this table captures the most common content paths.

Content source	How hidden instructions show up	What can go wrong
Webpages, listings, reviews	Instruction-like text appears in page content, comments, reviews, or machine-readable page text	The AI recommends the wrong listing, mis-summarizes the page, or prioritizes the attacker's content
Emails and inbox workflows	An email body or attachment tells the agent to ignore the user's task and do something else	The agent leaks private data, forwards documents, or sends the wrong message
PDFs and other documents	Instructions live in document body text, copied text layers, comments, or attachment content	The model follows instructions embedded in a file it was only supposed to analyze
Tool output and retrieved text	Search snippets, inbox results, OCR, or other tool returns include attacker-controlled text	The workflow is steered, rankings change, or the model reveals hidden context
Metadata, comments, parser-visible text	Humans see one thing while the parser sees extra text in comments, fields, or extracted content	The attack stays easy to miss during review while still reaching the model

Webpage examples: listings, reviews, and ordinary pages

One of OpenAI's clearest prompt injection examples is simple: a user asks AI to research apartments or vacation options, and the attacker places instructions inside a listing or related review content. The hidden instruction tells the model to recommend that listing regardless of the user's real criteria. If the attack works, the model gives a bad recommendation even though the visible task looked harmless.

This is a good beginner example because it shows that prompt injection is not limited to obviously malicious chat prompts. A page can look normal to the user while still containing attacker-controlled language that pushes the model off task. The failure is usually prompt hijacking: the AI stops optimizing for the user's criteria and starts optimizing for the attacker's preferred answer.

Webpage examples also generalize well beyond listings. The same pattern can sit inside product pages, forum posts, support articles, comment sections, or scraped search snippets. The common mistake is not "the model read the page." The mistake is "the model obeyed text inside the page."

Email examples: inbox summaries and agent workflows

Email is one of the strongest prompt injection examples because the attack path and the bad outcome are both easy to understand. OpenAI describes a case where a user asks an AI agent to generally respond to overnight emails, and an attacker email tries to make the model locate bank statements and share them. OpenAI Atlas gives an even sharper version: the agent opens a malicious email while trying to help with inbox work and ends up sending a resignation email instead of drafting an out-of-office reply.

These examples matter because they show how prompt injection gets more serious when the model has access to inboxes, documents, or send-message actions. The result is no longer just a flawed summary. It can become a data leak or an unintended action. In other words, email often turns prompt injection from a content problem into an operational problem.

The OpenAI guidance around these examples is also practical: broad requests like "handle my emails" give hidden content more room to redirect the workflow. Narrower instructions, confirmation before sensitive actions, and reduced logged-in access all make the example harder to exploit.

PDF and document examples: files the AI was only supposed to read

OpenAI explicitly names documents and attachments as common carriers for prompt injection, and that is the right way to think about prompt injection in PDFs and DOCX files. The format does not change the core issue. A model or agent opens a document to analyze it, summarize it, or retrieve facts from it, and the document contains text that tries to become instructions.

In practice, document examples are useful because humans often review the rendered page while the model consumes extracted text. That means the risky text may live in the obvious body copy, but it can also live in copied text layers, comments, appendix material, or other parser-visible content. The AI does not care whether the instruction came from a webpage or a file if both arrive as text in context.

This is where beginner articles should avoid a common mistake: hidden does not always mean invisible. Some document attacks are simply buried, low-salience, or out of place. Others really are easier for the parser to see than for the user. Both still count as prompt injection examples because the content was supposed to be read as data.

Tool output and retrieval examples: the attack rides in through another system

Some of the most useful prompt injection examples do not come from a webpage or attachment directly. They come from tool output. Tensor Trust opens with a simple inbox-search scenario: an LLM is asked to list the emails that best match a user's query, and a spammer email includes instructions telling the model to rank that email first. The user asked for search help. The attacker turned one search result into a control message.

Tensor Trust also highlights the other major bucket, prompt extraction. In its introductory framing, a malicious query can try to make the model reveal its hidden prompt so the attacker can copy or exploit it. That is useful for this blog because it shows that prompt injection examples are not only about bad recommendations or wrong actions. They can also be about leaking hidden instructions or protected context.

Tool-output examples matter in real applications because agents often read search snippets, vector-store passages, OCR results, browser text, or other model-generated intermediate output. If one returned item carries instructions, the attack can enter the workflow without ever appearing as a direct user prompt.

If you want the retrieval-pipeline version of that exact failure mode, see our RAG prompt injection explainer. It covers how retrieved chunks become instructions inside retrieval-augmented generation systems.

If you want the MCP version, where the malicious instruction lives in tool metadata instead of a retrieved chunk, see our MCP security explainer. It covers tool poisoning, poisoned manifests, and why some bad tools are dangerous before execution.

Hidden metadata, comments, and parser-visible text

When people search for prompt injection examples, they often imagine neon-red attacker text that says "ignore previous instructions." Real systems are messier. Sometimes the malicious text is visible. Sometimes it sits in comments, metadata, copied text layers, or machine-readable fields. Sometimes the page a human sees is not the same content the extraction pipeline hands to the model.

That parser-visible gap is one of the most important concepts for general readers. A human reviewer may think a file or page looks benign while the model still receives extra text during HTML parsing, OCR, document extraction, or tool chaining. From the model's perspective, those extra strings are just more context. If they sound instruction-like enough, they can hijack the task or try to extract hidden context.

If you want the image-and-interface version of that same problem, read our visual prompt injection guide. It focuses on screenshots, imported images, rendered pages, and other visual inputs that models can read through OCR-like capabilities.

That is also why intake inspection matters. If you only review the human-visible surface, you may miss the text the model will actually see. The risk is not only "bad content on the web." It is any gap between the trusted workflow and the full parser-visible input reaching the model.

What the best examples have in common

The best prompt injection examples look different on the surface, but the mechanics stay consistent. Third-party content enters the workflow. The content includes instruction-like text. The model gives that text more authority than it should. The output then shifts into one of two familiar directions: prompt hijacking or prompt extraction.

Webpage and listing examples usually hijack ranking, recommendation, or summarization.
Email and browser-agent examples often escalate into data exposure or unintended actions.
Document examples exploit the fact that extracted text may differ from the rendered page a human reviewed.
Tool-output examples show that the attack can ride through retrieval systems, not just direct chat input.
Metadata and parser-visible text explain why the examples can be hard to spot during normal review.

If you keep those common traits in mind, most new examples become easier to classify. Ask two questions: where did the content come from, and what was the attacker trying to change? If the answer is "outside content changed the model's behavior" or "outside content tried to reveal hidden context," you are usually looking at prompt injection.

How to reduce risk in practice

OpenAI's recent guidance points in the same practical direction across both articles: use layered defenses, narrow the task, reduce access, and add review steps for consequential actions. The user-side version is straightforward even for non-specialists.

Treat webpages, emails, documents, and tool output as untrusted input by default.
Give agents explicit, well-scoped tasks instead of broad instructions that let hidden content steer the workflow.
Limit logged-in access and tool permissions so a bad model decision cannot do too much damage.
Require confirmation before sending messages, exposing private data, or taking other high-impact actions.
Inspect AI-bound files and URLs before they enter a model or agent workflow.

That last step is where Veridicus Scan fits. If prompt injection examples often arrive through webpages, files, redirects, extracted text, and parser-visible artifacts, a sensible control is to inspect the content before handoff. The pages on coverage, URL scanning, and report exports show how that intake layer can help surface hidden instructions, suspicious metadata, and parser-visible drift before the model sees them.

If you want the full operator checklist after reading examples, see our guide to reducing prompt injection risk. It covers approvals, narrowed tasks, least privilege, and evaluation tradeoffs in more detail.

FAQ

What is a prompt injection example?

A prompt injection example is any case where third-party content includes instructions that an AI was supposed to read as data but instead follows as commands. The content might be a webpage, email, PDF, search result, or tool response.

Can a normal webpage or email contain prompt injection?

Yes. Some of the clearest official examples involve ordinary listings, reviews, emails, and documents. The attack does not need to look exotic. It only needs a path into the model's context and wording that pushes the model off task.

Are prompt injection examples always invisible to humans?

No. Some are visible but easy to overlook or dismiss as ordinary content. Others can live in parser-visible fields such as comments, copied text layers, metadata, or extracted text that humans do not normally review.

Why do prompt injection examples matter more for agents?

Because the failure can become an action. Once an agent can browse, search inboxes, open documents, or send messages, a hidden instruction can trigger data exposure or the wrong workflow step instead of only a bad answer. If you want the terminology boundary after reading examples, see our prompt injection vs jailbreaking guide.