A new blog‑style writeup dissects why prompt injection succeeds, tracing the flaw to how large language models treat role tags. The author shows that an LLM receives a single, continuous token stream where system, user, think, assistant and tool markers are the only cues separating instruction from data. Misreading these cues lets low‑privilege text masquerade as a higher‑privilege command during its processing inside the model.

Roles act as a crude type system, assigning trust levels: system outranks user, which outranks tool. Because the tags are the sole discrete lever, developers overload them with signals about identity, threat and generative mode. The writeup demonstrates that agents browsing webpages wrap fetched content in tool tags, yet attackers can embed commands that the model mistakenly interprets as user instructions.

Recent red‑team studies report near‑100 % success against frontier models such as GPT‑5, while static benchmarks show almost perfect scores. The gap stems from two defense pathways: memorizing known attacks and correctly perceiving role boundaries. When either fails, injections slip through. The analysis implies that improving role perception, not just pattern memorization, is essential to harden LLM agents for safer deployments in production systems.