indirect-prompt-injection_skill

This skill detects and rejects indirect prompt injection in external content before processing, safeguarding goals and data.
  • Python

2.6k

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill indirect-prompt-injection

  • _meta.json312 B
  • SKILL.md3.6 KB

Overview

This skill detects and rejects indirect prompt injection attacks embedded in external content. It scans social posts, documents, emails, web pages, and uploads for manipulation, data-exfiltration attempts, obfuscation tricks, and social-engineering cues. The skill includes 20+ detection patterns, homoglyph detection, and sanitization scripts to prevent untrusted inputs from changing agent behavior.

How this skill works

Before any untrusted content is processed, the skill isolates and scans it using a library of pattern checks and heuristics. It detects direct-instruction phrases, goal-manipulation attempts, exfiltration requests, encoding/obfuscation techniques (base64, zero-width, homoglyphs), and social-engineering triggers. When suspicious content is found, it flags and quotes the offending segments instead of executing them, and returns a clear rejection or verification prompt.

When to use it

  • When ingesting social media posts, comments, or replies
  • When opening shared documents, attachments, or user-uploaded files
  • When scraping or reading web pages and external articles
  • When handling emails, chat logs, or third-party content streams
  • Before running any untrusted content through downstream processing or code execution

Best practices

  • Treat all external content as untrusted input and run automatic scans before processing
  • Preserve the original task intent; never let external content override system instructions
  • Quote suspicious content back to the human operator instead of executing it
  • Use sanitized, plain-text versions for downstream parsing and keep originals immutable for auditing
  • Integrate exit codes (0 clean, 1 suspicious) into CI and automation for gating

Example use cases

  • A chat agent receives a pasted forum thread with embedded directives that try to alter its goals—scan and flag before responding
  • An email attachment contains hidden base64 instructions—detect homoglyphs and zero-width characters and quarantine the attachment
  • A web scraper pulls user comments that include webhook URLs to exfiltrate data—identify and remove links before analysis
  • A document shared with a team contains 'override' lines meant to hijack the assistant—report the suspicious lines and ask for confirmation
  • Pre-process user-uploaded files in a web app to prevent downstream tools from executing embedded instructions

FAQ

It marks the content as suspicious, quotes the relevant text, ignores embedded instructions, and prompts the operator for confirmation before proceeding.

Can the scanner produce machine-readable results for automation?

Yes. The scripts support JSON output and exit codes for CI integration so automated systems can gate processing on clean results.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational