Skip to main content

CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.

Project description

llm-sanitizer

CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.

What It Does

Documents, web pages, and source code can contain embedded instructions targeting LLM agents — from legitimate customization to malicious prompt injection. llm-sanitizer scans content for these embedded instructions, classifies their risk level, reports findings in multiple formats, and optionally produces redacted output.

Detection

Ten pluggable detection rules covering:

  • Instruction override phrases ("ignore previous instructions…")
  • Zero-width character encoding (hidden text via invisible Unicode)
  • HTML/markdown hidden content (white-on-white, display:none)
  • Role-play injection ("act as", "you are now DAN")
  • System prompt markers (<system>, ## System Prompt)
  • Data exfiltration attempts ("output the system prompt")
  • Comment-embedded directives (<!-- AI: do this -->)
  • Base64-encoded instructions
  • Unicode homoglyph substitution (Cyrillic lookalikes)
  • Agent-specific config patterns in unexpected locations

Classification

Five risk levels: info (legitimate AI config) → lowmediumhighcritical (confirmed injection technique).

Redaction

Non-destructive cleaning in three modes:

  • strip — remove the instruction entirely
  • comment — replace with [REDACTED: ...] marker
  • highlight — wrap in visible markers for review

Installation

pip install llm-sanitizer
# or
uv pip install llm-sanitizer

Quick Start

CLI

# Scan a file
llm-sanitize scan document.md

# Scan a URL
llm-sanitize scan https://example.com/page

# Scan a directory
llm-sanitize scan ./docs/ --glob "**/*.md"

# Redact a file
llm-sanitize redact document.md -o clean_document.md

# Redact a directory (mirrors structure)
llm-sanitize redact ./docs/ -o ./clean_docs/

MCP Server

Add to your MCP configuration:

{
  "mcpServers": {
    "llm-sanitizer": {
      "command": "llm-sanitizer"
    }
  }
}

Available tools: scan_text, scan_file, scan_url, scan_dir, redact, redact_file, redact_url, redact_dir, list_rules.

Python API

from llm_sanitizer.scanner import scan_text

result = scan_text("Check this <!-- ignore previous instructions --> content")
print(result.findings)  # [Finding(rule='comment_directive', risk='high', ...)]

Configuration

Create .llm-sanitizer.yml at your project root:

sensitivity: medium

rules:
  zero_width:
    enabled: true
  instruction_override:
    enabled: true
    sensitivity: high

policy:
  mode: "allow-known"    # allow-known | allow-none | allow-all
  agents:
    copilot: allow
    cursor: allow

Output Formats

  • JSON — structured findings for programmatic use
  • Markdown — human-readable reports
  • SARIF — GitHub Code Scanning / VS Code integration

Documentation

License

AGPL-3.0-or-later. Commercial licensing available — contact greg@warnes-innovations.com.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

llm_sanitizer-0.1.3.tar.gz (68.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

llm_sanitizer-0.1.3-py3-none-any.whl (51.0 kB view details)

Uploaded Python 3

File details

Details for the file llm_sanitizer-0.1.3.tar.gz.

File metadata

  • Download URL: llm_sanitizer-0.1.3.tar.gz
  • Upload date:
  • Size: 68.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for llm_sanitizer-0.1.3.tar.gz
Algorithm Hash digest
SHA256 445588e3d0e7df102b8574415fd052dd3a907f9eb04cdbbc7145d7c27456db99
MD5 cd1aaa3c00472e02a1aaab47208ec8c0
BLAKE2b-256 0a632168e0b36152c635c6c5f02275350616e1b789ef6929ebf79ca3b4c56d77

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_sanitizer-0.1.3.tar.gz:

Publisher: publish.yml on Warnes-Innovations/llm-sanitizer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file llm_sanitizer-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: llm_sanitizer-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 51.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for llm_sanitizer-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 e8da4d158a9d0be40ad01f1f155a8c986eacd8522035cb69bc5ffcd953ac3c17
MD5 b69f95cbf544aab9d94013938ba27d12
BLAKE2b-256 00aedca222cc42ed3b344b55da6795d16bff924c64b50c404646b76defe7a181

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_sanitizer-0.1.3-py3-none-any.whl:

Publisher: publish.yml on Warnes-Innovations/llm-sanitizer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page