LLM application security testing framework — prompt injection, multimodal attacks, safety bypass, and indirect injection scanner

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jfschoellkopf from gravatar.com jfschoellkopf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Jake Schoellkopf
  • Tags ai-security , llm , mcp , multimodal , pentesting , prompt-injection , security , steganography
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

AICU

CI Python 3.10+ License: MIT

Black-box security scanner for LLM applications. Point it at any chat endpoint, get a report of what leaks.

AICU demo

AICU replays captured HTTP requests with adversarial payloads and evaluates whether the target discloses system prompts, internal tools, credentials, or responds to safety bypass attempts — no API keys or model access required.

Quick Start (2 minutes)

# Install
git clone https://github.com/Jake-Schoellkopf/aicu.git && cd aicu
pip install -e .

# Start the built-in vulnerable demo target
python demo_server.py &

# Run a full scan
aicu scan --request examples/demo_request.txt

What It Finds

Category Examples
Prompt Disclosure System prompt leakage via translation, repetition, reframing
Capability Leakage Tool names, API schemas, internal function exposure
Safety Bypass Roleplay, hypothetical, academic, completion tricks
Credential Exposure API keys, tokens, internal URLs leaked in responses
Multi-turn Escalation Crescendo-style attacks that build trust over turns
Indirect Injection Malicious payloads embedded in uploaded files
Harmful Content Phishing, malware generation, disinformation
Unauthorized Actions Privilege escalation, data exfiltration prompts
Multimodal Attacks Steganographic images, adversarial audio, hidden document layers

Multimodal Attack Engine

AICU generates 151 advanced adversarial payloads across vision, audio, and document modalities — no model access required.

Vision (48 payloads)

Technique Description
LSB Steganography Instructions encoded in least-significant bits of pixel data
Opacity Overlay Text composited at 2-5% alpha (invisible to humans, detected by VLMs)
EXIF/XMP Injection Payloads in image metadata fields parsed by LLM pipelines
Split Payload Instructions distributed across multiple images that reassemble in context

Audio (36 payloads)

Technique Description
Whisper Underlay Commands whispered at -30 to -40dB beneath foreground speech
Universal Mute Adversarial segments that suppress or hijack ASR transcription
Frequency Hiding FSK/spread-spectrum encoding in near-ultrasonic 15-20kHz band

Documents (67 payloads)

Technique Description
Font Remap PDF ToUnicode CMap manipulation — displays benign text, extracts as injection
White on White Invisible PDF layers: white text, 0.1pt font, off-page, zero-opacity
DOCX Hidden XML Vanish property, deleted revisions, hidden bookmarks, SDT controls, comments
Zero-Width Unicode Binary/4-bit encoding using invisible unicode characters in text 
# Generate all multimodal payloads
aicu multimodal

# Vision only
aicu multimodal --category vision

# Audio only
aicu multimodal --category audio

# Documents only
aicu multimodal --category documents

# Custom output directory
aicu multimodal --output-dir ./payloads_out

How It Works

  1. Capture a request to your LLM endpoint (Burp Suite, browser dev tools, curl)
  2. Save it as a raw HTTP file
  3. Run aicu scan --request req.txt
  4. Read the HTML/JSON/Markdown report with findings and evidence

AICU establishes a baseline response, then fires YAML-driven payloads (single-turn, multi-turn, file-based) and uses a strict multi-layer evaluator to classify results with minimal false positives.

Usage

# Full scan (recommended)
aicu scan --request req.txt

# Individual modes
aicu single-turn --request req.txt --best-of-n 10
aicu multi-turn --request req.txt
aicu safety --request req.txt --category safety_bypass
aicu indirect --request upload_req.txt
aicu multimodal --category vision

# With target profile
aicu scan --request req.txt --profile openai

Burp Suite Integration

  1. Capture a request in Burp (Proxy → HTTP history)
  2. Right-click → Copy to file → save as req.txt
  3. aicu scan --request req.txt

CI/CD

- name: LLM Security Scan
  run: aicu scan --request req.txt
  # Exit 0 = clean, 1 = confirmed findings, 2 = suspicious only

Target Profiles

Built-in: openai, anthropic, azure_openai, generic

Custom via YAML:

preset: openai
name: my_chatbot
response_path: choices[0].message.content
request_delay_ms: 200

False Positive Reduction

No external LLM needed for evaluation. AICU uses:

  • Payload echo detection
  • Baseline similarity comparison
  • Reflection/httpbin filtering
  • Entropy analysis
  • Refusal detection
  • Tiered confidence scoring

Output

Reports land in runs/run_<timestamp>/:

  • report.html — interactive HTML report
  • results.json — structured findings
  • report.md — markdown summary
  • evidence/ — raw response captures

Multimodal payloads land in runs/multimodal_<timestamp>/:

  • payloads/ — organized by category/technique/
  • manifest.json — full payload inventory with metadata
  • multimodal_summary.json — generation summary

Companion Tool

Tool Tests
AICU LLM applications (prompt injection, multimodal attacks, safety bypass)
AICU Agent MCP infrastructure (server probing, credential extraction, protocol attacks)

Install

pip install aicu-scanner    # from PyPI
# or
pip install -e .            # editable install from source
pip install -e ".[dev]"     # with test/lint tools

Run Tests

pytest -v

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jfschoellkopf from gravatar.com jfschoellkopf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Jake Schoellkopf
  • Tags ai-security , llm , mcp , multimodal , pentesting , prompt-injection , security , steganography
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

This version

0.2.0

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aicu_scanner-0.2.0.tar.gz (129.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aicu_scanner-0.2.0-py3-none-any.whl (162.4 kB view details)

Uploaded Python 3

File details

Details for the file aicu_scanner-0.2.0.tar.gz.

File metadata

  • Download URL: aicu_scanner-0.2.0.tar.gz
  • Upload date:
  • Size: 129.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aicu_scanner-0.2.0.tar.gz
Algorithm Hash digest
SHA256 251d37c36fd57c9ff5d0da46ce2405ade63b3397773d1298dc000597f2c12e74
MD5 1f71f9a77a32e3bce6cfd80af160f673
BLAKE2b-256 10fa577213cc4332b09ec4ace498ce57ba83578d49f57692185daffea689d267

See more details on using hashes here.

File details

Details for the file aicu_scanner-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: aicu_scanner-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 162.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aicu_scanner-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 873cc7e11b6ff3702cf2eb0766a3786e7ba1e003852a84cd1e1fdff10f22923a
MD5 7fca035ecf8058fdc28fa0d943cbea02
BLAKE2b-256 96dc0f98a6c6b3df7908833010a3cc6714dca09eaefabf3bc0c83c349ada51c8

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page