Can Rovo Be Tricked by Malicious Files? [Champions Slack Insider]

Another great question from the Champions Slack—this one is from @Ciara Twomey Nielsen  goes straight to security and trust:

“If a file contains hidden malicious instructions, could Rovo be tricked into ignoring its safety rules?”

Short answer: No—but let’s unpack why.

First, clarify the model vs. the interface

Rovo is not the LLM. It’s the interface layer.

That matters because:

• It doesn’t blindly execute file content
• It orchestrates how content is retrieved, filtered, and sent to the model
• It applies Atlassian’s security, permission, and safety controls before anything reaches generation

So the risk model is different from “raw LLM prompt injection” scenarios you might see online.

What happens when a file is uploaded?

Files are not treated as executable prompts.

Instead, they go through:

• Filtering and scanning
• Indexing as content (not instructions)
• Permission checks via the Teamwork Graph

If malicious strings exist, they’re handled as data—not commands.

What about prompt injection attacks?

Prompt injection (e.g., “ignore previous instructions…”) is a known risk in AI systems.

Here’s how Rovo handles it:

• The model operates in a controlled, sandboxed environment
• System-level instructions cannot be overridden by user content
• Suspicious content may lead to refusal or safe fallback responses

In other words: The AI may ignore the malicious instruction—or decline to act on it—but it won’t adopt it as truth.

The controls that matter most

From Atlassian’s own security and AI guidance:

• “AI features cannot bypass product-level permissions.”
• “Generative AI actions are executed within a controlled environment with strict access checks.”

That means:

• If a user shouldn’t see it → Rovo won’t surface it
• If content is unsafe → Rovo may limit or refuse responses
• If instructions conflict with system rules → system rules win

Why customers ask this (and why it’s valid)

This question usually comes from exposure to general LLM risks. And they’re not wrong—prompt injection is real.

But here’s the nuance:

• Most public examples assume direct model access
• Rovo sits behind multiple layers of governance, permissions, and filtering

Different architecture → different risk profile

If you need “official documentation”

This is where things get a bit fragmented today. The answer lives across multiple areas:

• Atlassian Intelligence Trust & Safety
• Permissions & Access Controls
• Data Handling and AI Safety Controls
• Security, Privacy & Data Protection docs

For formal validation: Opening a support ticket is still the cleanest way to get a consolidated, customer-ready response.