Very interesting research. I would be interested to know how closed source AI labs implement the role thing in their inference. Is it still only a separation token? Frontier closed source LLMs are quite good at flagging any spoofing attempt from tool call results.

However, in some prompt injection experiments [0], I found it's possible to "derail" the user intent only with tool call results, here are some tricks:

* Frame the injection as a challenge. * Always use "soft" instructions ("You may", "Try to", ...). Hard instructions are almost always flagged. * Force the model to do multiple tool calls. * Bloat the context. * In the injection payload, better use LLM output (which correlates somehow with this research). I like using LLM generated poems but that's probably irrelevant. * Use multiple encoding steps to force the model to use tools, but this may be detected by the external guardrails (Anthropic does this in my experience). * Hide malicious code payload from the model context. * Last but not least, understand the agent harness used and its weaknesses (e.g., in OpenClaw, they injected emails as user message - not tool call results [1]).

[0] https://itmeetsot.eu/posts/2026-06-14-yolo_harness/ [1] https://itmeetsot.eu/posts/2026-02-02-openclaw_mail_rce/