Detect Indirect Prompt Injection attacks before your LLM reads them
Project description
IPI-Scanner 🔒
Detect Indirect Prompt Injection attacks before your LLM reads them.
IPI-Scanner is an open-source security tool that identifies hidden attack instructions embedded in documents, emails, PDFs, and web content before they reach your AI system. Using a 3-tier detection approach, it catches 85%+ of known IPI attacks with minimal false positives.
The Problem
Indirect Prompt Injection (IPI) doesn't target the prompt—it targets the data your AI ingests: webpages, PDFs, MCP metadata, RAG docs, emails, memory, and code. An attacker can poison a document that your RAG system later retrieves, and when your LLM reads it, hidden instructions execute silently.
Real incidents:
- Perplexity Comet: Invisible text in Reddit posts leaked user passwords
- EchoLeak: Compliance-framed emails exfiltrated data
- HashJack: Malicious URL fragments steered AI summaries
- CVE-2025-59944: Configuration poisoning enabled RCE
- Zero-Click MCP RCE: Compromised metadata executed code
Cost: $2.3B in global losses. OWASP LLM01:2025 lists prompt injection as the #1 vulnerability.
How IPI-Scanner Works
3-Tier Detection
Tier 1: Pattern Matching (Fast)
- 50+ regex patterns for known attack signatures
- Detection in <100ms per document
- No API calls required
- Accuracy: 60-80%
Tier 2: Semantic Analysis (Accurate)
- Optional Claude analysis for borderline cases
- Confidence scoring for ambiguous patterns
- Accuracy: 75-85%
Tier 3: Simulation (Proof)
- Optional: test if attacks actually execute
- Validates high-confidence findings
- Accuracy: 90%+
Installation
pip install ipi-scanner
Or from source:
git clone https://github.com/username/ipi-scanner
cd ipi-scanner
pip install -e .
Quick Start
Scan a single document:
ipi-scan document.pdf
Scan a directory:
ipi-scan ./documents/ --recursive
Strict detection mode:
ipi-scan document.pdf --mode strict
JSON output (for automation):
ipi-scan document.pdf --output json
HTML dashboard:
ipi-scan ./documents/ --output html --output-file report.html
With context multipliers:
# RAG pipeline context (1.5x risk multiplier)
ipi-scan document.pdf --context rag
# Agent with tool access (2.0x risk multiplier)
ipi-scan document.pdf --context agent
# Critical (API access, 2.5x risk multiplier)
ipi-scan document.pdf --context critical
Output
CLI (Default)
🔴 document.pdf
Risk Score: 68/100 (Orange)
Size: 245.3 KB
Type: pdf
Threats (3 detected):
• Data Exfiltration (95%) @ line 12
→ "send all data to attacker.com"
• Context Manipulation (85%) @ line 8
→ "Based on the following guidelines..."
• Auth Bypass (78%) @ line 15
→ "Skip the verification step"
🟠 REVIEW: Check before RAG ingestion
JSON
{
"file": "document.pdf",
"doc_type": "pdf",
"status": "success",
"risk_assessment": {
"score": 68,
"level": "Orange",
"recommendation": "REVIEW: Check before RAG ingestion",
"confidence": 0.86,
"threats": [
"Data Exfiltration (95%) @ line 12"
]
},
"detections": [
{
"category": "data_exfiltration",
"confidence": 0.95,
"match": "send all data to attacker.com",
"location": "line 12"
}
]
}
HTML Dashboard
Beautiful visual dashboard with risk meters, threat lists, and recommendations.
Risk Levels
| Level | Score | Action |
|---|---|---|
| 🔴 Red | 75-100 | BLOCK - Do not feed to LLM |
| 🟠 Orange | 50-74 | REVIEW - Check before RAG ingestion |
| 🟡 Yellow | 25-49 | CAUTION - Monitor for suspicious behavior |
| 🟢 Green | 0-24 | SAFE - Proceed normally |
What It Detects
Critical (40 points each)
- ✅ Data exfiltration attempts
- ✅ Credential/API key extraction
- ✅ Sensitive file access requests
High (25 points each)
- ✅ System prompt override
- ✅ Context manipulation
- ✅ Authentication bypass
Medium (10 points each)
- ✅ URL fragment injection (HashJack)
- ✅ Hidden/steganographic instructions
- ✅ Policy override attempts
- ✅ Social engineering
Low (5 points each)
- ✅ Tool execution manipulation
- ✅ Memory poisoning
- ✅ Citation injection
- ✅ Temporal/conditional overrides
What It Doesn't Detect
- ❌ Novel attacks (not in training patterns)
- ❌ Non-English text (patterns optimized for English)
- ❌ Adversarial images (without OCR)
- ❌ Subtle semantic attacks (use Tier 2 with Claude)
API Usage
from ipi_scanner import Scanner
# Initialize
scanner = Scanner(mode='balanced')
# Scan single file
result = scanner.scan_file('document.pdf')
# Access results
print(f"Risk Score: {result['risk_assessment']['score']}")
print(f"Recommendation: {result['risk_assessment']['recommendation']}")
# Scan with context
result = scanner.scan_file(
'document.pdf',
context={
'rag_pipeline': True,
'agent_tool_access': True
}
)
# Batch scan
results = scanner.batch_scan([
'file1.pdf',
'file2.txt',
'file3.email'
])
print(f"High risk files: {len(results['high_risk_files'])}")
Supported Formats
- Documents: PDF, TXT, MD, RST, HTML
- Email: EML (MIME format)
- Images: PNG, JPG, JPEG, GIF, WEBP (with optional OCR)
Performance
- Single file (pattern matching): <500ms
- Directory (10 files): ~5 seconds
- Memory: <50MB baseline
- Large documents: Handles 100MB+ files
Testing
Run the test suite:
pytest tests/ -v
With coverage:
pytest tests/ --cov=ipi_scanner --cov-report=html
Run CVE validation tests:
pytest tests/test_real_cves.py -v
Validation
IPI-Scanner has been validated against real attack examples:
- ✅ EchoLeak (Microsoft Copilot RCE) - Detected ✓
- ✅ HashJack (URL fragment injection) - Detected ✓
- ✅ Perplexity Comet (invisible text) - Detected ✓
- ✅ CVE-2025-53773 (GitHub Copilot) - Detected ✓
- ✅ Google Gemini Calendar (invite injection) - Detected ✓
- ✅ ChatGPT Google Drive (file extraction) - Detected ✓
- ✅ Zero-Click MCP RCE (metadata poisoning) - Detected ✓
Expected detection rate: 85%+ on known attacks Expected false positive rate: <5% on benign documents
Sensitivity Modes
Balanced (default):
- Keep patterns with confidence ≥65%
- Good mix of detection and accuracy
- Recommended for most use cases
Strict:
- Keep all patterns
- Highest detection rate
- May have more false positives
Permissive:
- Keep only high confidence (≥80%)
- Lowest false positive rate
- May miss some real attacks
Context Multipliers
Increase risk score based on deployment context:
context = {
'untrusted_source': True, # Email, web, external (1.3x)
'rag_pipeline': True, # Being ingested into RAG (1.5x)
'agent_tool_access': True, # Agent can execute tools (2.0x)
'agent_api_access': True # Agent can make API calls (2.5x)
}
result = scanner.scan_file('document.pdf', context=context)
# Score multiplied by: 1.3 × 1.5 × 2.0 × 2.5 = 9.75x
Limitations
- Pattern-based: Misses novel attack variations
- English optimized: Patterns tuned for English text
- No active scanning: Detects static text, not runtime behavior
- No context isolation: Assumes your LLM processes untrusted content
Roadmap
-
v0.1.0 (current)
- Pattern matching detection
- Document parsing
- Risk scoring
- CLI + HTML output
-
v0.2.0 (next)
- Claude semantic analysis (Tier 2)
- Multi-language support
- Custom pattern loading
-
v0.3.0 (future)
- Simulation-based validation (Tier 3)
- MCP server integration
- Real-time monitoring
Contributing
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Add tests for new patterns/functionality
- Submit a pull request
Security Note
IPI-Scanner is a detection tool, not a complete security solution. Use it as one layer in a defense-in-depth strategy that includes:
- ✅ Trust boundaries in your architecture
- ✅ Input validation and sanitization
- ✅ Output verification layers
- ✅ Least-privilege for agents/tools
- ✅ Human review for sensitive operations
- ✅ Continuous monitoring and logging
License
MIT License - see LICENSE file
Citation
If you use IPI-Scanner in research or production, please cite:
IPI-Scanner Contributors. (2026). IPI-Scanner: Detect Indirect Prompt Injection Attacks.
https://github.com/username/ipi-scanner
Resources
- Lakera: Indirect Prompt Injection
- Microsoft: Detecting Prompt Abuse
- OWASP LLM01:2025
- MITRE ATLAS: Prompt Injection
Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Email: info@ipi-scanner.dev
Made with 🛡️ for AI Security
Detect attacks. Protect your LLM. Ship with confidence.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ipi_scanner-0.1.0.tar.gz.
File metadata
- Download URL: ipi_scanner-0.1.0.tar.gz
- Upload date:
- Size: 31.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
64b970134e0ab26238ae3ca757d3b19766db201192657ef6871dd057aae3a925
|
|
| MD5 |
e4abb1fcb08a8cc508ef3f7b2a9bcafd
|
|
| BLAKE2b-256 |
24fbc61cff6b656dd076de3e5e987945afd3a4c3313d00d50092692b8f912b85
|
File details
Details for the file ipi_scanner-0.1.0-py3-none-any.whl.
File metadata
- Download URL: ipi_scanner-0.1.0-py3-none-any.whl
- Upload date:
- Size: 25.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea04a0cba8403a233ad6538cde2f761d7239d666cf5446deb84910e52bdd6f90
|
|
| MD5 |
5830a7a02271244256ad2888ec653cb2
|
|
| BLAKE2b-256 |
f7b445384c48f7bea6363ee3dba8b48ee5a90f53b6963659730b0b8f5e9421e0
|
