LLM application security testing framework — prompt injection, multimodal attacks, safety bypass, and indirect injection scanner

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jfschoellkopf from gravatar.com jfschoellkopf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Jake Schoellkopf
  • Tags ai-security , llm , mcp , multimodal , pentesting , prompt-injection , security , steganography
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

AICU

CI Python 3.10+ License: MIT

Black-box security scanner for LLM applications. Point it at any chat endpoint, get a report of what leaks.

AICU demo

AICU replays captured HTTP requests with adversarial payloads and evaluates whether the target discloses system prompts, internal tools, credentials, or responds to safety bypass attempts — no API keys or model access required.

Quick Start (2 minutes)

# Install
git clone https://github.com/Jake-Schoellkopf/aicu.git && cd aicu
pip install -e .

# Start the built-in vulnerable demo target
python demo_server.py &

# Run a full scan
aicu scan --request examples/demo_request.txt

What It Finds

Category Examples
Prompt Disclosure System prompt leakage via translation, repetition, reframing
Capability Leakage Tool names, API schemas, internal function exposure
Safety Bypass Roleplay, hypothetical, academic, completion tricks
Credential Exposure API keys, tokens, internal URLs leaked in responses
Multi-turn Escalation Crescendo-style attacks that build trust over turns
Indirect Injection Malicious payloads embedded in uploaded files
Harmful Content Phishing, malware generation, disinformation
Unauthorized Actions Privilege escalation, data exfiltration prompts
Multimodal Attacks Steganographic images, adversarial audio, hidden document layers

Multimodal Attack Engine

AICU generates 151 advanced adversarial payloads across vision, audio, and document modalities — no model access required.

Vision (48 payloads)

Technique Description
LSB Steganography Instructions encoded in least-significant bits of pixel data
Opacity Overlay Text composited at 2-5% alpha (invisible to humans, detected by VLMs)
EXIF/XMP Injection Payloads in image metadata fields parsed by LLM pipelines
Split Payload Instructions distributed across multiple images that reassemble in context

Audio (36 payloads)

Technique Description
Whisper Underlay Commands whispered at -30 to -40dB beneath foreground speech
Universal Mute Adversarial segments that suppress or hijack ASR transcription
Frequency Hiding FSK/spread-spectrum encoding in near-ultrasonic 15-20kHz band

Documents (67 payloads)

Technique Description
Font Remap PDF ToUnicode CMap manipulation — displays benign text, extracts as injection
White on White Invisible PDF layers: white text, 0.1pt font, off-page, zero-opacity
DOCX Hidden XML Vanish property, deleted revisions, hidden bookmarks, SDT controls, comments
Zero-Width Unicode Binary/4-bit encoding using invisible unicode characters in text 
# Generate all multimodal payloads
aicu multimodal

# Vision only
aicu multimodal --category vision

# Audio only
aicu multimodal --category audio

# Documents only
aicu multimodal --category documents

# Custom output directory
aicu multimodal --output-dir ./payloads_out

How It Works

  1. Capture a request to your LLM endpoint (Burp Suite, browser dev tools, curl)
  2. Save it as a raw HTTP file
  3. Run aicu scan --request req.txt
  4. Read the HTML/JSON/Markdown report with findings and evidence

AICU establishes a baseline response, then fires YAML-driven payloads (single-turn, multi-turn, file-based) and uses a strict multi-layer evaluator to classify results with minimal false positives.

Usage

# Full scan (recommended)
aicu scan --request req.txt

# Individual modes
aicu single-turn --request req.txt --best-of-n 10
aicu multi-turn --request req.txt
aicu safety --request req.txt --category safety_bypass
aicu indirect --request upload_req.txt
aicu multimodal --category vision

# With target profile
aicu scan --request req.txt --profile openai

Burp Suite Integration

  1. Capture a request in Burp (Proxy → HTTP history)
  2. Right-click → Copy to file → save as req.txt
  3. aicu scan --request req.txt

CI/CD

- name: LLM Security Scan
  run: aicu scan --request req.txt
  # Exit 0 = clean, 1 = confirmed findings, 2 = suspicious only

Target Profiles

Built-in: openai, anthropic, azure_openai, generic

Custom via YAML:

preset: openai
name: my_chatbot
response_path: choices[0].message.content
request_delay_ms: 200

False Positive Reduction

No external LLM needed for evaluation. AICU uses:

  • Payload echo detection
  • Baseline similarity comparison
  • Reflection/httpbin filtering
  • Entropy analysis
  • Refusal detection
  • Tiered confidence scoring

Output

Reports land in runs/run_<timestamp>/:

  • report.html — interactive HTML report
  • results.json — structured findings
  • report.md — markdown summary
  • evidence/ — raw response captures

Multimodal payloads land in runs/multimodal_<timestamp>/:

  • payloads/ — organized by category/technique/
  • manifest.json — full payload inventory with metadata
  • multimodal_summary.json — generation summary

Companion Tool

Tool Tests
AICU LLM applications (prompt injection, multimodal attacks, safety bypass)
AICU Agent MCP infrastructure (server probing, credential extraction, protocol attacks)

Install

pip install aicu-scanner    # from PyPI
# or
pip install -e .            # editable install from source
pip install -e ".[dev]"     # with test/lint tools

Run Tests

pytest -v

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jfschoellkopf from gravatar.com jfschoellkopf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Jake Schoellkopf
  • Tags ai-security , llm , mcp , multimodal , pentesting , prompt-injection , security , steganography
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.2.5

This version

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aicu_scanner-0.2.4.tar.gz (136.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aicu_scanner-0.2.4-py3-none-any.whl (179.7 kB view details)

Uploaded Python 3

File details

Details for the file aicu_scanner-0.2.4.tar.gz.

File metadata

  • Download URL: aicu_scanner-0.2.4.tar.gz
  • Upload date:
  • Size: 136.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aicu_scanner-0.2.4.tar.gz
Algorithm Hash digest
SHA256 78233b31d4e01765e67c248d464aa210198af7b7ca903c60ea92a1bd9778559e
MD5 5f49be55e8e7d7e71e8eb12b764d5a98
BLAKE2b-256 7fe9ebc0a9fe0d423c3fdca7f2642908a903a2415936376cc9de5055ace087c2

See more details on using hashes here.

File details

Details for the file aicu_scanner-0.2.4-py3-none-any.whl.

File metadata

  • Download URL: aicu_scanner-0.2.4-py3-none-any.whl
  • Upload date:
  • Size: 179.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for aicu_scanner-0.2.4-py3-none-any.whl
Algorithm Hash digest
SHA256 81b6716f225773b39ed88641a1fc9ed62db3092b05e8bee6f231c5f5edea5f18
MD5 c7136a20611bfb607f6b80cbc8a3dad0
BLAKE2b-256 fbbb980c4df1aa13307afd10f2b04f82e42630ed9e35c01220edccf3ebd172d1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page