LLM application security testing framework — prompt injection, multimodal attacks, safety bypass, and indirect injection scanner
Project description
AICU
Black-box security scanner for LLM applications. Point it at any chat endpoint, get a report of what leaks.
AICU replays captured HTTP requests with adversarial payloads and evaluates whether the target discloses system prompts, internal tools, credentials, or responds to safety bypass attempts.
Quick Start (2 minutes)
# Install
git clone https://github.com/Jake-Schoellkopf/aicu.git && cd aicu
pip install -e .
# Option 1: Scan with an API key (OpenAI, Azure, Ollama — no Burp needed)
aicu scan --api-key sk-your-key --model gpt-4o-mini
# Option 2: Scan via captured Burp request (Claude, custom apps)
aicu scan --request examples/demo_request.txt
# Option 3: Test against the built-in vulnerable demo
python demo_server.py &
aicu scan --request examples/demo_request.txt
API Key Mode (recommended for OpenAI/Azure/Ollama)
# OpenAI
aicu scan --api-key sk-... --model gpt-4o-mini
# Azure OpenAI
aicu scan --api-key your-azure-key --model gpt-4o --base-url https://your-resource.openai.azure.com
# Local Ollama (no key needed)
aicu scan --api-key dummy --model llama3.2 --base-url http://localhost:11434
Burp Proxy Mode (for web apps like Claude, custom chatbots)
# Capture a request in Burp, save to file, scan
aicu scan --request captured_request.txt
What It Finds
| Category | Examples |
|---|---|
| Prompt Disclosure | System prompt leakage via translation, repetition, reframing |
| Capability Leakage | Tool names, API schemas, internal function exposure |
| Safety Bypass | Roleplay, hypothetical, academic, completion tricks |
| Credential Exposure | API keys, tokens, internal URLs leaked in responses |
| Multi-turn Escalation | Crescendo-style attacks that build trust over turns |
| Indirect Injection | Malicious payloads embedded in uploaded files |
| Harmful Content | Phishing, malware generation, disinformation |
| Unauthorized Actions | Privilege escalation, data exfiltration prompts |
| Multimodal Attacks | Steganographic images, adversarial audio, hidden document layers |
Multimodal Attack Engine
AICU generates 151 advanced adversarial payloads across vision, audio, and document modalities — no model access required.
Vision (48 payloads)
| Technique | Description |
|---|---|
| LSB Steganography | Instructions encoded in least-significant bits of pixel data |
| Opacity Overlay | Text composited at 2-5% alpha (invisible to humans, detected by VLMs) |
| EXIF/XMP Injection | Payloads in image metadata fields parsed by LLM pipelines |
| Split Payload | Instructions distributed across multiple images that reassemble in context |
Audio (36 payloads)
| Technique | Description |
|---|---|
| Whisper Underlay | Commands whispered at -30 to -40dB beneath foreground speech |
| Universal Mute | Adversarial segments that suppress or hijack ASR transcription |
| Frequency Hiding | FSK/spread-spectrum encoding in near-ultrasonic 15-20kHz band |
Documents (67 payloads)
| Technique | Description |
|---|---|
| Font Remap | PDF ToUnicode CMap manipulation — displays benign text, extracts as injection |
| White on White | Invisible PDF layers: white text, 0.1pt font, off-page, zero-opacity |
| DOCX Hidden XML | Vanish property, deleted revisions, hidden bookmarks, SDT controls, comments |
| Zero-Width Unicode | Binary/4-bit encoding using invisible unicode characters in text |
# Generate all multimodal payloads
aicu multimodal
# Vision only
aicu multimodal --category vision
# Audio only
aicu multimodal --category audio
# Documents only
aicu multimodal --category documents
# Custom output directory
aicu multimodal --output-dir ./payloads_out
How It Works
- Capture a request to your LLM endpoint (Burp Suite, browser dev tools, curl)
- Save it as a raw HTTP file
- Run
aicu scan --request req.txt - Read the HTML/JSON/Markdown report with findings and evidence
AICU establishes a baseline response, then fires YAML-driven payloads (single-turn, multi-turn, file-based) and uses a strict multi-layer evaluator to classify results with minimal false positives.
Usage
# Full scan (recommended)
aicu scan --request req.txt
# Individual modes
aicu single-turn --request req.txt --best-of-n 10
aicu multi-turn --request req.txt
aicu safety --request req.txt --category safety_bypass
aicu indirect --request upload_req.txt
aicu multimodal --category vision
# With target profile
aicu scan --request req.txt --profile openai
Burp Suite Integration
- Capture a request in Burp (Proxy → HTTP history)
- Right-click → Copy to file → save as
req.txt aicu scan --request req.txt
CI/CD
- name: LLM Security Scan
run: aicu scan --request req.txt
# Exit 0 = clean, 1 = confirmed findings, 2 = suspicious only
Target Profiles
Built-in: openai, anthropic, azure_openai, generic
Custom via YAML:
preset: openai
name: my_chatbot
response_path: choices[0].message.content
request_delay_ms: 200
False Positive Reduction
No external LLM needed for evaluation. AICU uses:
- Payload echo detection
- Baseline similarity comparison
- Reflection/httpbin filtering
- Entropy analysis
- Refusal detection
- Tiered confidence scoring
Output
Reports land in runs/run_<timestamp>/:
report.html— interactive HTML reportresults.json— structured findingsreport.md— markdown summaryevidence/— raw response captures
Multimodal payloads land in runs/multimodal_<timestamp>/:
payloads/— organized bycategory/technique/manifest.json— full payload inventory with metadatamultimodal_summary.json— generation summary
Companion Tool
| Tool | Tests |
|---|---|
| AICU | LLM applications (prompt injection, multimodal attacks, safety bypass) |
| AICU Agent | MCP infrastructure (server probing, credential extraction, protocol attacks) |
Install
pip install aicu-scanner # from PyPI
# or
pip install -e . # editable install from source
pip install -e ".[dev]" # with test/lint tools
Run Tests
pytest -v
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aicu_scanner-0.2.5.tar.gz
(136.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
aicu_scanner-0.2.5-py3-none-any.whl
(180.0 kB
view details)
File details
Details for the file aicu_scanner-0.2.5.tar.gz.
File metadata
- Download URL: aicu_scanner-0.2.5.tar.gz
- Upload date:
- Size: 136.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dd8af03ce2dcbaae88a62772d539ab727c95d2edce9fda6837004edf7b8ac49e
|
|
| MD5 |
c173eead1fee1daefeb10c6b34fe6be3
|
|
| BLAKE2b-256 |
19b9ab1145d18b3217c601cd4315ece25e6adf5edd6f3cbb0334595a3e9b6f13
|
File details
Details for the file aicu_scanner-0.2.5-py3-none-any.whl.
File metadata
- Download URL: aicu_scanner-0.2.5-py3-none-any.whl
- Upload date:
- Size: 180.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9859fe34e8b8550ed0e49323b9cd15fd23806ad60a202ac31cebdee053dc77c3
|
|
| MD5 |
2374976761b99066bb9a35d593027ad5
|
|
| BLAKE2b-256 |
e0afe69c364d209ed9f6b50e432230bd08b8514ecd638495d8c3579edf09d186
|
