Indirect prompt injection represents the number one security risk for LLM-based systems, categorized as LLM01:2025 in the OWASP Top 10 for LLM Applications. Unlike traditional injection, this attack inserts malicious instructions into content an agent retrieves from external sources like documents or tool outputs. Because agents act on these retrieved responses, they can inadvertently execute unauthorized actions, such as processing fraudulent financial transactions, without direct user input. Traditional content filters often fail against these threats because the injected prompts appear benign in isolation and are context-dependent.

Google's Agent Development Kit (ADK) addresses these vulnerabilities by integrating security directly into the framework architecture rather than relying on bolt-on filters. The security framework utilizes five layers: identity and authorization management; guardrails for screening model and tool inputs; sandboxed code execution; comprehensive evaluation and tracing of tool calls; and network controls like VPC Service Controls to prevent data exfiltration. The ADK architecture emphasizes consistency, ensuring security policies are enforced across all agents managed by a runner.

Plugins in the ADK provide a mechanism to enforce security globally across multiple agents. By registering a plugin on an agent runner, developers can intercept interactions, such as using the after_tool_callback hook to inspect and validate tool responses before the agent processes them. This approach overcomes scaling challenges, as one registration protects all agents managed by that runner. Additionally, the framework supports tool context policies that function independently of the model, allowing developers to set hard constraints, such as refund caps, that the AI cannot override even if manipulated by an external prompt.

Production-ready agent deployment requires adhering to a structured security implementation strategy. Essential practices include enabling content filters explicitly, managing credentials through secure vaults rather than session state, and sanitizing model-generated HTML or JavaScript before rendering. The ADK, available in languages including Python, TypeScript, Go, Java, and Kotlin, provides unified safety guidance and documentation for developers looking to audit their production systems. Engineers are advised to utilize the provided 10-item security checklist to evaluate their specific agent implementations for vulnerabilities across the five defined layers.

Indirect prompt injection represents the number one security risk for LLM-based systems, categorized as LLM01:2025 in the OWASP Top 10 for LLM Applications. Unlike traditional injection, this attack inserts malicious instructions into content an agent retrieves from external sources like documents or tool outputs. Because agents act on these retrieved responses, they can inadvertently execute unauthorized actions, such as processing fraudulent financial transactions, without direct user input. Traditional content filters often fail against these threats because the injected prompts appear benign in isolation and are context-dependent.

Google's Agent Development Kit (ADK) addresses these vulnerabilities by integrating security directly into the framework architecture rather than relying on bolt-on filters. The security framework utilizes five layers: identity and authorization management; guardrails for screening model and tool inputs; sandboxed code execution; comprehensive evaluation and tracing of tool calls; and network controls like VPC Service Controls to prevent data exfiltration. The ADK architecture emphasizes consistency, ensuring security policies are enforced across all agents managed by a runner.

Plugins in the ADK provide a mechanism to enforce security globally across multiple agents. By registering a plugin on an agent runner, developers can intercept interactions, such as using the after_tool_callback hook to inspect and validate tool responses before the agent processes them. This approach overcomes scaling challenges, as one registration protects all agents managed by that runner. Additionally, the framework supports tool context policies that function independently of the model, allowing developers to set hard constraints, such as refund caps, that the AI cannot override even if manipulated by an external prompt.

Production-ready agent deployment requires adhering to a structured security implementation strategy. Essential practices include enabling content filters explicitly, managing credentials through secure vaults rather than session state, and sanitizing model-generated HTML or JavaScript before rendering. The ADK, available in languages including Python, TypeScript, Go, Java, and Kotlin, provides unified safety guidance and documentation for developers looking to audit their production systems. Engineers are advised to utilize the provided 10-item security checklist to evaluate their specific agent implementations for vulnerabilities across the five defined layers.