Polymarket annotation injection

Server-rendered third-party content that LLMs ingest via web search can carry indirect prompt-injection and social-engineering payloads, expanding the attack surface for AI assistants.

The author found injected annotations on a Polymarket event page that are rendered server-side and therefore visible to LLMs via web_search even when hidden in the browser. A planted annotation (source 'grok') contained a fake emergency-rate-cut message directing users to withdraw funds at a phishing-style domain, representing an indirect prompt-injection vector through Polymarket's annotation API endpoints. Claude's web search saw the content but correctly flagged it as phishing.