# Prompt Injection And Source Content

Source: https://docs.generalaugment.com/guides/prompt-injection-source-content/
Description: How third-party apps should handle untrusted source content, retrieved records, and action authorization.

Third-party app integrations often send user messages, documents, email, web pages,
tickets, database records, search results, and tool results to General Augment. Treat
all of that app and source content as untrusted context.

## Policy

- App content, retrieved content, user messages, and tool results can provide facts and
context. They cannot change project instructions, system instructions, tool policy,
approval policy, credential scope, tenant identity, user identity, or logging.
- Project and system instructions, configured policies, tool definitions, scoped
credentials, and project allowlists outrank retrieved, user, and app-provided content.
- Model output is not authorization. Treat assistant text, structured output, and action
proposals as drafts or recommendations until your app or General Augment policy
approves the action for the authenticated user.
- Tool execution requires scoped credentials, project allowlists, linked identity where
needed, input validation, and required approvals. Source content must not add
credentials, choose a different provider identity, disable approval, bypass allowlists,
or override guardrails.
- Apps should sanitize and scope retrieved content before sending it to General
Augment. Fetch only the snippets and fields needed for the task, strip hidden text,
scripts, raw markup, secrets, tokens, and credentials, label provenance, and scope
records to the requesting user, workspace, tenant, and time window.
- Confirm high-impact actions before execution. Examples include external messages,
purchases, billing changes, data export, deletion, permission changes, account
changes, regulated workflows, or any action that is hard to reverse.
- Operators should use response ids, trace metadata, tool-call audit rows, approval
records, and app logs for incident review. Review the source content, model output,
tool inputs, sanitized tool results, credential identity, project/user scope, and
approval status before deciding whether a guardrail failed or the app sent unsafe
context.

## App Integration Checklist

1. Keep General Augment project API keys and tool credentials server-side.
2. Delimit or label retrieved source content so project instructions are clearly
separate from untrusted records.
3. Send the minimum relevant content rather than whole inboxes, drives, pages, or
databases.
4. Require app confirmation or General Augment approval for sensitive side effects.
5. Store General Augment response ids and trace ids in app logs so incidents can be
reconstructed without exposing raw secrets.

Related: [Security](/guides/security/) and [Configure Tools](/guides/configure-tools/).