Skill Being Reviewed
Skill name: prompt-injection
Skill path: skills/ai-security/prompt-injection/
False Positive Analysis
Benign-looking external content pipeline that can be over-credited:
rag:
loaders:
- html
- pdf
- markdown
sanitize: true
provenance: true
prompt:
delimiter: "<retrieved_content>"Why this is a false positive:
The pipeline says it sanitizes and labels retrieved content, but the review does not prove hidden instructions are removed from HTML comments, CSS-hidden text, markdown image/link targets, PDF annotations, document metadata, OCR layers, email quoted text, or tool/API response fields. A delimiter does not prevent hidden external instructions from entering the model context.
Coverage Gaps
Missed variant 1: hidden HTML text reaches the prompt
Text extraction includes display:none, zero-size text, comments, alt text, or metadata without flagging it as untrusted.
Missed variant 2: markdown links become exfiltration or instruction channels
Retrieved markdown includes image URLs, link targets, or reference definitions with encoded instructions or data exfiltration endpoints.
Missed variant 3: PDF/email metadata bypasses visible-content review
PDF annotations, OCR layers, email quoted replies, headers, or attachment metadata are extracted into context even though they were not visible to the reviewer.
Edge Cases
- Alt text can be legitimate accessibility content, but it should be labeled as metadata and not elevated to instruction-equivalent content.
- Code blocks may contain examples with prompt-injection strings; review should preserve them as quoted data with provenance.
- Sanitization should be deterministic and evidence-backed, not only a prompt instruction telling the model to ignore hidden instructions.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| HTML sanitizers |
Partial |
Remove dangerous tags, but may preserve hidden text or metadata depending on configuration. |
| Document loaders |
Partial |
Extract text but rarely distinguish visible body text from metadata, comments, OCR, or annotations. |
| Prompt delimiters |
No |
Delimiters label data but do not remove adversarial hidden instructions. |
Overall Assessment
Strengths: Strong coverage of direct/indirect injection sources, privilege escalation, data exfiltration, output filtering, and common pitfalls.
Needs improvement: Add concrete review evidence for external-content extraction pipelines so reviewers can verify which hidden, metadata, and non-visible fields enter the model context.
Priority recommendations:
- Add a hidden content sanitization checklist under indirect injection vectors.
- Require extraction provenance by field type: visible body, metadata, comments, hidden CSS, link target, OCR, annotation, quoted reply, and attachment metadata.
- Add output fields for loader behavior, sanitization proof, retained metadata, and residual prompt-injection risk.
Sources Checked
Bounty Info
Skill Being Reviewed
Skill name:
prompt-injectionSkill path:
skills/ai-security/prompt-injection/False Positive Analysis
Benign-looking external content pipeline that can be over-credited:
Why this is a false positive:
The pipeline says it sanitizes and labels retrieved content, but the review does not prove hidden instructions are removed from HTML comments, CSS-hidden text, markdown image/link targets, PDF annotations, document metadata, OCR layers, email quoted text, or tool/API response fields. A delimiter does not prevent hidden external instructions from entering the model context.
Coverage Gaps
Missed variant 1: hidden HTML text reaches the prompt
Text extraction includes
display:none, zero-size text, comments, alt text, or metadata without flagging it as untrusted.Missed variant 2: markdown links become exfiltration or instruction channels
Retrieved markdown includes image URLs, link targets, or reference definitions with encoded instructions or data exfiltration endpoints.
Missed variant 3: PDF/email metadata bypasses visible-content review
PDF annotations, OCR layers, email quoted replies, headers, or attachment metadata are extracted into context even though they were not visible to the reviewer.
Edge Cases
Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths: Strong coverage of direct/indirect injection sources, privilege escalation, data exfiltration, output filtering, and common pitfalls.
Needs improvement: Add concrete review evidence for external-content extraction pipelines so reviewers can verify which hidden, metadata, and non-visible fields enter the model context.
Priority recommendations:
Sources Checked
Bounty Info