detecting-indirect-prompt-injection

Installation
SKILL.md

Detecting Indirect Prompt Injection

Authorized-use-only notice: Scripts in this skill scan untrusted content for injection payloads and run detector models. Run scanning only on data you are authorized to process, and treat any extracted payloads as live untrusted input — never paste them back into a privileged LLM context.

Overview

Indirect prompt injection (MITRE ATLAS AML.T0051.001, OWASP LLM01:2025) occurs when an LLM-powered agent ingests external content — a web page it browses, a PDF or email it summarizes, an image it OCRs, a tool result it reads — and that content contains hidden instructions the model then follows as if they came from the developer or user. Because the agent treats all tokens in its context window as equally authoritative, an attacker who controls any consumed artifact can hijack the agent's behavior: exfiltrate conversation history, redirect tool calls, leak secrets, or pivot through connected systems.

Unlike direct injection (the user types the attack), indirect injection arrives through a trusted-looking data channel, which is why naive input filtering misses it. Payloads hide in many forms: HTML comments and display:none/zero-width text on web pages, white-on-white or tiny-font text in PDFs, alt-text and EXIF metadata in images, text rendered into pixels (invisible to OCR-light filters but read by multimodal models), Unicode tag/zero-width characters, and Base64/ROT13 obfuscation. This skill builds a detection pipeline that normalizes and scans every artifact before it reaches the model, combining heuristic/regex detection, dedicated detector models (Meta Prompt Guard 2, ProtectAI's deberta-v3 prompt-injection classifier via LLM Guard), and multimodal extraction for images, and then defines response actions and detection telemetry.

When to Use

  • When building or hardening an agent that browses the web, reads email, summarizes documents, or processes user-uploaded files/images.
  • When you need a content-sanitization gate in front of an LLM that ingests third-party data.
  • During AI red-team / blue-team exercises validating that injected instructions in retrieved artifacts are caught.
  • When investigating an incident where an agent behaved as if it received instructions you did not author.
  • As a CI/CD pre-ingestion scan for documents added to a knowledge base.

Prerequisites

Installs
16
GitHub Stars
24.8K
First Seen
12 days ago
detecting-indirect-prompt-injection — mukul975/anthropic-cybersecurity-skills