Quarantine Untrusted Tokens

The principle

The Dual-LLM pattern splits the agent in two. A privileged model holds the tools and plans actions but never sees untrusted content. A quarantined model processes the tainted data but has no tools and returns only opaque variables. The privileged model directs the quarantined one without ever ingesting the bytes that could carry an injection. The separation is what makes it safe.

Why it happens

Quarantine works by topology, not by detection. A low-privilege component reads the untrusted page, email, or document and returns structured values. The privileged planner never sees the raw prose; it works with references, ids, labels, or typed fields. That means the attack text has no direct path into the context that chooses tools. CaMeL takes this further with capability tracking in a constrained interpreter. The pattern is powerful but heavier to build, so reserve it for workflows where untrusted content and privileged actions would otherwise meet.

Watch for

• The same model instance both reads scraped or user-supplied content and decides which privileged tools to call.
• Raw untrusted text flows directly into the context that holds tool access.
• There is no structured boundary forcing untrusted content to become opaque variables before the planner sees it.

Apply it

1. Separate the component that reads untrusted content from the component that can take privileged actions.
2. Have the reader return only structured, opaque results (ids, labels, typed fields), never raw text the planner ingests.
3. Let the privileged planner orchestrate by reference, so an injection in the source has no foothold in the acting context.

Sources and further reading

• Design Patterns for Securing LLM Agents against Prompt Injection · Simon Willison, 2025
• Defeating Prompt Injections by Design (CaMeL) · Debenedetti et al. (Google DeepMind), 2025
• Design Patterns for Securing LLM Agents against Prompt Injections · Beurer-Kellner et al., 2025