Prompt injection is what happens when an agent treats fetched content as instructions. An attacker plants text in a web page, an issue, an email, or a tool result, and the agent, which cannot cleanly separate data from commands, obeys it. Underneath the new name it is the oldest bug in computing: mixing data and control.
There is no general fix. For an agent that takes real actions, the practical defense is posture, not cleverness: keep privileges low enough that obeying a malicious instruction does limited harm, gate the actions that spend money or move data, and treat every fetched input as untrusted. It is the third of the three trust boundaries (alongside skills and credentials) covered in ClawBlog’s agent-security work, and the reason ClawHavoc-style supply-chain risk is only half the threat model.