About This Skill

# Prompt-Injection & Agent-Security Gate A pre-action security gate that inspects untrusted content for hidden instructions and attack patterns before your agent reads, trusts, or acts on it. ## What this skill does Agents are trusting by default. They read a web page, a tool result, a document, or an email and treat its contents as information to act on — which is exactly how indirect prompt injection works. An attacker plants instructions inside content the agent will process, and the agent follows them. This skill installs a skeptical security reviewer between the untrusted content and the agent's next action. It assumes the content is hostile and tries to prove it. The output is not a rewrite or a cleaned version of the content. It is a structured verdict: the specific injection or attack patterns found, the risk they pose, and a clear decision — SAFE, REVIEW, or BLOCK — before the agent proceeds. ## When to use it Run the gate on any content that originates outside the user and the system prompt, before the agent acts on it: fetched web pages, search results, tool and API outputs, file contents, email and message bodies, PDFs, and form fields. It is most valuable immediately before a consequential action — sending a message, calling a tool, making a change, or following a link. ## The five inspection passes 1. **Embedded-instruction scan.** Detect imperative instructions aimed at the agent ("ignore previous instructions", "now do X", role redefinitions), including text hidden via white-on-white, tiny fonts, comments, alt text, or metadata. 2. **Authority & social-engineering check.** Flag claims of being the system, developer, admin, or user; false pre-authorization claims; urgency, threats, or emotional pressure designed to force action. 3. **Lethal-trifecta check.** Assess whether acting on the content could combine access to private data, exposure to untrusted instructions, and a way to exfiltrate — the pattern that turns injection into data loss. 4. **Obfuscation & encoding scan.** Surface base64, hex, homoglyphs, zero-width characters, or unusual encodings that hide instructions, and decode enough to judge intent. 5. **Action-risk rehearsal.** Identify the single most dangerous thing the agent might do if it naively trusted the content, and whether the content is trying to trigger it. ## The verdict format A compact, consistent block: the risk level, each injection found (quoted, with attack type), social-engineering and authority claims, exfiltration/trifecta risk, obfuscation detected, the most dangerous action if trusted, and a final verdict — SAFE, REVIEW, or BLOCK — with a one-line justification. ## Why it works It separates "reading content" from "acting on content." The same model is far more resistant to injection when explicitly told to treat the input as untrusted data and hunt for attacks, rather than to be helpful and follow along. The structured passes catch the hidden, encoded, and authority-based attacks a single casual read misses. ## What it is not This is a reasoning-and-prompting skill, not a firewall, sandbox, or malware scanner. It does not execute, fetch, or block anything at the system level, and it cannot guarantee detection of every novel attack. It is a disciplined review layer that raises the bar against indirect prompt injection and social engineering. Pair it with real system-level controls (allow-lists, scoped permissions, human approval for sensitive actions) for defense in depth.