Design partner: securing multi-agent routing + plugin hijack in Semantic Kernel

[aeris-systems]

Hi Semantic Kernel team,

SK’s plugin model + planners are a great abstraction for building real multi-agent apps. That power also creates a new class of security failure modes that many teams are only now discovering.

I’m Alex (aeris-systems), ex‑VP Eng at Cloudflare (18y security). I built Aeris PromptShield (OSS) — prompt injection detection focused on agentic systems (indirect injection, instruction override, obfuscation, and tool-manipulation).

Security gap I’m seeing in the wild: in multi-agent / routed setups, untrusted context can manipulate:

• routing / delegation (“send this to agent B”, “switch to planner X”),
• plugin/tool selection (coercing the model to invoke a sensitive plugin),
• plugin arguments (data exfiltration, over-broad queries, SSRF-style fetches),
• and even “prompt-level” plugin hijack where the model is tricked into treating untrusted text as higher-priority instructions.

Design-partner proposal: work with SK maintainers on a clean, idiomatic integration point (filters/middleware around function invocation and/or prompt assembly) that:

• scans retrieved context before it reaches planners/agents,
• detects instruction-override + tool-manipulation patterns before calling plugins,
• produces structured audit metadata (what was detected + confidence) for enterprise compliance.

If you think this is useful, I’d be happy to contribute an end-to-end sample (C# + Python) showing hardened multi-agent routing and plugin invocation.

— Alex
https://github.com/aeris-systems/aeris-promptshield

[aeris-systems]

@outreach/semantic-kernel/discussion-comment.md