Skip to main content

CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.

Project description

llm-sanitizer

CLI + MCP server for detecting, classifying, and redacting embedded LLM agent instructions in documents, source code, and web pages.

What It Does

Documents, web pages, and source code can contain embedded instructions targeting LLM agents — from legitimate customization to malicious prompt injection. llm-sanitizer scans content for these embedded instructions, classifies their risk level, reports findings in multiple formats, and optionally produces redacted output.

Detection

Ten pluggable detection rules covering:

  • Instruction override phrases ("ignore previous instructions…")
  • Zero-width character encoding (hidden text via invisible Unicode)
  • HTML/markdown hidden content (white-on-white, display:none)
  • Role-play injection ("act as", "you are now DAN")
  • System prompt markers (<system>, ## System Prompt)
  • Data exfiltration attempts ("output the system prompt")
  • Comment-embedded directives (<!-- AI: do this -->)
  • Base64-encoded instructions
  • Unicode homoglyph substitution (Cyrillic lookalikes)
  • Agent-specific config patterns in unexpected locations

Classification

Five risk levels: info (legitimate AI config) → lowmediumhighcritical (confirmed injection technique).

Redaction

Non-destructive cleaning in three modes:

  • strip — remove the instruction entirely
  • comment — replace with [REDACTED: ...] marker
  • highlight — wrap in visible markers for review

Installation

pip install llm-sanitizer
# or
uv pip install llm-sanitizer

Quick Start

CLI

# Scan a file
llm-sanitize scan document.md

# Scan a URL
llm-sanitize scan https://example.com/page

# Scan a directory
llm-sanitize scan ./docs/ --glob "**/*.md"

# Redact a file
llm-sanitize redact document.md -o clean_document.md

# Redact a directory (mirrors structure)
llm-sanitize redact ./docs/ -o ./clean_docs/

MCP Server

Add to your MCP configuration:

{
  "mcpServers": {
    "llm-sanitizer": {
      "command": "llm-sanitizer"
    }
  }
}

Available tools: scan_text, scan_file, scan_url, scan_dir, redact, redact_file, redact_url, redact_dir, list_rules.

Python API

from llm_sanitizer.scanner import scan_text

result = scan_text("Check this <!-- ignore previous instructions --> content")
print(result.findings)  # [Finding(rule='comment_directive', risk='high', ...)]

Configuration

Create .llm-sanitizer.yml at your project root:

sensitivity: medium

rules:
  zero_width:
    enabled: true
  instruction_override:
    enabled: true
    sensitivity: high

policy:
  mode: "allow-known"    # allow-known | allow-none | allow-all
  agents:
    copilot: allow
    cursor: allow

Output Formats

  • JSON — structured findings for programmatic use
  • Markdown — human-readable reports
  • SARIF — GitHub Code Scanning / VS Code integration

Documentation

License

AGPL-3.0-or-later. Commercial licensing available — contact greg@warnes-innovations.com.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

llm_sanitizer-0.1.0.tar.gz (68.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

llm_sanitizer-0.1.0-py3-none-any.whl (51.0 kB view details)

Uploaded Python 3

File details

Details for the file llm_sanitizer-0.1.0.tar.gz.

File metadata

  • Download URL: llm_sanitizer-0.1.0.tar.gz
  • Upload date:
  • Size: 68.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for llm_sanitizer-0.1.0.tar.gz
Algorithm Hash digest
SHA256 faec495442f0531f14cf2a8ef435d0903ec0e74f41806239c754cf805c8bccf4
MD5 793aa07bf51253dbe1d3304c47ad0790
BLAKE2b-256 365ae7e640e8c96f76d0cab91b1cf306dd6d8a4c9daafae4554ab5ac210e09ed

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_sanitizer-0.1.0.tar.gz:

Publisher: publish.yml on Warnes-Innovations/llm-sanitizer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file llm_sanitizer-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: llm_sanitizer-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 51.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for llm_sanitizer-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e817ff24726fbf356e237d6189ae35b699327d8b47d77a8b1ae460adf69d5f63
MD5 597611d72a075adc985c094cf3e59c47
BLAKE2b-256 cdeda557652c101b35ac12f751e879330afab5db8f7c630a8e7071104c7187e9

See more details on using hashes here.

Provenance

The following attestation bundles were made for llm_sanitizer-0.1.0-py3-none-any.whl:

Publisher: publish.yml on Warnes-Innovations/llm-sanitizer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page