prompt-injection-defense
Prompt Injection Defense
Defend the agent's instruction and context surface against adversarial content:
text engineered so a human reviewer sees one thing while the model reads another.
The vector is Unicode that is invisible, direction-altering, or visually misleading
in normal Latin script - hidden in the files an agent treats as authority (CLAUDE.md,
AGENTS.md, SKILL.md, .cursorrules), in MCP tool descriptions, and in any content
pulled into context at runtime (web fetches, issue bodies, dependency READMEs).
Helps with
Auditing an instruction file you didn't write - a CLAUDE.md, AGENTS.md,
.cursorrules, or SKILL.md arriving via a PR, a template, or a dependency - for
hidden instructions the diff review didn't show. scripts/scan-hidden-unicode.py.
Answering "is this file safe to read?" when something feels off but looks clean.
The danger is bytes the renderer hides: U+E0000-block tag characters (ASCII
smuggling) that encode a whole instruction yet display as nothing, or zero-width
spaces splitting a keyword.