Problem

Problem statement

Most agents rely on a single prompt-level filter, which misses output-side leaks and tool-argument attacks entirely.

Stakes

Why it matters

Prompt injection against a tool-calling agent is consequential because the agent has privileges. Defense in depth — separate detection per boundary — is the only approach that holds up under red-team testing.

Threat Model

Threat model

  • Instruction override embedded in untrusted content.
  • Exfiltration encoded into tool arguments.
  • Secret echo in agent output.
  • Unauthorized tool calls triggered by injected instructions.
Architecture

Architecture

Three independent detection layers; any one can block or escalate. No single filter is load-bearing.

Features

Key features

  • Rule + classifier hybrid per boundary.
  • Category-level efficacy metrics.
  • Re-runnable eval suite for CI.
  • Configurable block-or-review thresholds.
  • Reproductions for every detected attack.
Controls

Guardrails & controls

Input-boundary detectionTool-argument validationOutput-boundary filtersBlock-or-review escalationCI eval pipeline
Testing

Test scenarios

  • Direct and indirect instruction override.
  • Exfil via URL, query string, and webhook arguments.
  • Secret echo and PII leak in outputs.
  • Multi-turn injection that builds across messages.
Workflow

Example workflow

01

Classify input

Untrusted content is scored before it reaches the agent.

02

Validate arguments

Tool calls are checked against schemas and exfil heuristics.

03

Scan output

Agent output is screened for secret echo and leakage.

04

Escalate

Above threshold, the call is blocked or routed to review and logged.

Stack

Tech stack

Language
Python 3.12
Models
OpenAI · local classifiers
Eval
Pytest-style suite
CI
GitHub Actions
Output
Category metrics + reproductions
Visuals

Screenshots

Visual placeholders. Replace with real screenshots and a demo video.

UI · DETECTION CONSOLE
DEMO · EVAL RESULTS
Lessons

Lessons learned

  • Tool-argument detection catches attacks the prompt filter never sees.
  • Efficacy must be measured per category, not as a single number.
  • An eval suite that the team owns matters more than a one-time test.
Roadmap

Future roadmap

  • Pluggable classifier backends.
  • Cross-tenant isolation checks.
  • Benchmark pack against published injection corpora.
Put this to work

Want this pattern in your stack?

This kit is a re-runnable eval suite for agent prompt-injection defense and is open work — get in touch if you're building something similar or want to compare notes.