CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.
Project description
llm-sanitizer
CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.
What It Does
Documents, web pages, and source code can contain embedded instructions
targeting LLM agents — from legitimate customization to malicious prompt
injection. llm-sanitizer scans content for these embedded instructions,
classifies their risk level, reports findings in multiple formats, and
optionally produces redacted output.
Detection
Ten pluggable detection rules covering:
- Instruction override phrases ("ignore previous instructions…")
- Zero-width character encoding (hidden text via invisible Unicode)
- HTML/markdown hidden content (white-on-white, display:none)
- Role-play injection ("act as", "you are now DAN")
- System prompt markers (
<system>,## System Prompt) - Data exfiltration attempts ("output the system prompt")
- Comment-embedded directives (
<!-- AI: do this -->) - Base64-encoded instructions
- Unicode homoglyph substitution (Cyrillic lookalikes)
- Agent-specific config patterns in unexpected locations
Classification
Five risk levels: info (legitimate AI config) → low → medium → high → critical (confirmed injection technique).
Redaction
Non-destructive cleaning in three modes:
- strip — remove the instruction entirely
- comment — replace with
[REDACTED: ...]marker - highlight — wrap in visible markers for review
Installation
pip install llm-sanitizer
# or
uv pip install llm-sanitizer
Quick Start
CLI
# Scan a file
llm-sanitize scan document.md
# Scan a URL
llm-sanitize scan https://example.com/page
# Scan a directory
llm-sanitize scan ./docs/ --glob "**/*.md"
# Redact a file
llm-sanitize redact document.md -o clean_document.md
# Redact a directory (mirrors structure)
llm-sanitize redact ./docs/ -o ./clean_docs/
MCP Server
Add to your MCP configuration:
{
"mcpServers": {
"llm-sanitizer": {
"command": "llm-sanitizer"
}
}
}
Available tools: scan_text, scan_file, scan_url, scan_dir, redact,
redact_file, redact_url, redact_dir, list_rules.
Python API
from llm_sanitizer.scanner import scan_text
result = scan_text("Check this <!-- ignore previous instructions --> content")
print(result.findings) # [Finding(rule='comment_directive', risk='high', ...)]
Configuration
Create .llm-sanitizer.yml at your project root:
sensitivity: medium
rules:
zero_width:
enabled: true
instruction_override:
enabled: true
sensitivity: high
policy:
mode: "allow-known" # allow-known | allow-none | allow-all
agents:
copilot: allow
cursor: allow
Output Formats
- JSON — structured findings for programmatic use
- Markdown — human-readable reports
- SARIF — GitHub Code Scanning / VS Code integration
Documentation
License
AGPL-3.0-or-later. Commercial licensing available — contact greg@warnes-innovations.com.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file llm_sanitizer-0.1.0.tar.gz.
File metadata
- Download URL: llm_sanitizer-0.1.0.tar.gz
- Upload date:
- Size: 68.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
faec495442f0531f14cf2a8ef435d0903ec0e74f41806239c754cf805c8bccf4
|
|
| MD5 |
793aa07bf51253dbe1d3304c47ad0790
|
|
| BLAKE2b-256 |
365ae7e640e8c96f76d0cab91b1cf306dd6d8a4c9daafae4554ab5ac210e09ed
|
Provenance
The following attestation bundles were made for llm_sanitizer-0.1.0.tar.gz:
Publisher:
publish.yml on Warnes-Innovations/llm-sanitizer
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
llm_sanitizer-0.1.0.tar.gz -
Subject digest:
faec495442f0531f14cf2a8ef435d0903ec0e74f41806239c754cf805c8bccf4 - Sigstore transparency entry: 1345193142
- Sigstore integration time:
-
Permalink:
Warnes-Innovations/llm-sanitizer@78986da01535fd99982a197344cf2ee417e8ddec -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Warnes-Innovations
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@78986da01535fd99982a197344cf2ee417e8ddec -
Trigger Event:
release
-
Statement type:
File details
Details for the file llm_sanitizer-0.1.0-py3-none-any.whl.
File metadata
- Download URL: llm_sanitizer-0.1.0-py3-none-any.whl
- Upload date:
- Size: 51.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e817ff24726fbf356e237d6189ae35b699327d8b47d77a8b1ae460adf69d5f63
|
|
| MD5 |
597611d72a075adc985c094cf3e59c47
|
|
| BLAKE2b-256 |
cdeda557652c101b35ac12f751e879330afab5db8f7c630a8e7071104c7187e9
|
Provenance
The following attestation bundles were made for llm_sanitizer-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on Warnes-Innovations/llm-sanitizer
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
llm_sanitizer-0.1.0-py3-none-any.whl -
Subject digest:
e817ff24726fbf356e237d6189ae35b699327d8b47d77a8b1ae460adf69d5f63 - Sigstore transparency entry: 1345193230
- Sigstore integration time:
-
Permalink:
Warnes-Innovations/llm-sanitizer@78986da01535fd99982a197344cf2ee417e8ddec -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/Warnes-Innovations
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@78986da01535fd99982a197344cf2ee417e8ddec -
Trigger Event:
release
-
Statement type: