Live: https://agent-probe.vercel.app
Scans AI-powered chatbots embedded on websites for prompt injection vulnerabilities β the way a real attacker would, through the browser.
Enter a URL, and a browser agent navigates to the site, detects the chat widget, and runs 20 priority-sampled attacks from a pool of 45 research-backed payloads across 6 categories. Claude judges each response and produces an AβF vulnerability report.
User β Vercel (Next.js frontend) β Railway (FastAPI backend) β Browserbase/Stagehand (browser) β Target website
β Anthropic Claude (LLM judge)
β Google Gemini (browser automation)
- FastAPI β WebSocket scan orchestration, report generation
- Stagehand SDK + Gemini 2.5 Flash β browser automation via Browserbase (find widgets, type messages, read responses)
- Claude Sonnet 4.6 β judges each chatbot response as VULNERABLE / PARTIAL / RESISTANT
- 45 research-backed attacks across 6 categories with priority rankings (20 sampled per scan)
- Next.js + Tailwind β scan input, real-time progress feed, vulnerability report
- WebSocket β streams scan events live (attack details, verdicts, timing)
- Rich report β expandable findings with payload, response, verdict, and reference links
6 categories derived from the OWASP Top 10 for LLM Applications, focused on vulnerabilities testable through black-box prompt injection:
| Category | OWASP Mapping | What it tests |
|---|---|---|
| System Prompt Extraction | LLM01: Prompt Injection | Can the chatbot be tricked into revealing its hidden instructions or system prompt? |
| Goal Hijacking | LLM01: Prompt Injection | Can the chatbot be redirected to perform unintended tasks or ignore its original purpose? |
| Data Leakage | LLM06: Sensitive Information Disclosure | Does the chatbot expose internal data, credentials, RAG sources, or architecture details? |
| Guardrail Bypass | LLM01 + LLM07: Insecure Plugin Design | Can safety filters and topic restrictions be circumvented via encoding, roleplay, or emotional manipulation? |
| Insecure Output Handling | LLM02: Insecure Output Handling | Could the chatbot's output be exploited for XSS, markdown injection, or phishing? |
| Indirect Prompt Injection | LLM01: Prompt Injection | Is the chatbot susceptible to hidden instructions embedded in content it retrieves or processes? |
Each category is weighted by real-world threat severity:
| Category | Weight |
|---|---|
| System Prompt Extraction | 0.25 |
| Data Leakage | 0.20 |
| Indirect Prompt Injection | 0.20 |
| Goal Hijacking | 0.15 |
| Insecure Output Handling | 0.10 |
| Guardrail Bypass | 0.10 |
Grades: A (0β0.1), B (0.1β0.3), C (0.3β0.5), D (0.5β0.7), F (0.7β1.0)
- Python 3.11+
- Node.js 18+
- Anthropic API key
- Google API key (for Gemini / Stagehand)
- Browserbase API key + project ID
cd backend
python -m venv .venv
source .venv/bin/activate
pip install fastapi "uvicorn[standard]" playwright anthropic websockets python-dotenv httpx stagehand
# Create .env with your keys
cp .env.example .env
# Edit .env with your API keys
uvicorn main:app --port 8000 --reloadcd frontend
npm install
npm run devVisit http://localhost:3000
Both services auto-deploy from main branch on push to GitHub.
- URL: https://cornell-ai-hack-production.up.railway.app
- Auto-deploys from
mainon push - Dockerfile:
backend/Dockerfile - Environment variables:
ANTHROPIC_API_KEYβ Claude judgeGOOGLE_API_KEYβ Stagehand (Gemini 2.5 Flash)BROWSERBASE_API_KEYBROWSERBASE_PROJECT_IDALLOWED_ORIGINS=https://agent-probe.vercel.app
- URL: https://agent-probe.vercel.app
- Auto-deploys from
mainon push - Root directory:
frontend - Environment variables:
NEXT_PUBLIC_WS_URL=wss://cornell-ai-hack-production.up.railway.app/ws/scan
# Make changes, commit, push β both services auto-deploy
git add -A && git commit -m "your changes" && git push origin mainAttack payloads sourced from:
Academic Research
- SPE-LLM β System Prompt Extraction (Zhang et al. 2025)
- Greshake et al. 2023 β "Not What You've Signed Up For" (Indirect Prompt Injection)
- HackAPrompt (Schulhoff et al. 2023)
- Many-Shot Jailbreaking (Anthropic, NeurIPS 2024)
- Persuasive Adversarial Prompts (ICLR 2025)
- Cognitive Overload (NAACL Findings 2024)
- Wei et al. 2023 β "Jailbroken: How Does LLM Safety Training Fail?"
- DSN β "Don't Say No" (2024)
- Effective Prompt Extraction (Zhang et al. 2023)
- Virtual Context / Special Token Injection (2024)
Industry & Standards
