Lines 1-29javascript
1const INJECTION_TELLS = [
2 { id: "override", re: /\b(?:ignore|disregard|forget)\s+(?:all\s+|any\s+)?(?:previous|prior|earlier|above|your)\s+(?:instructions?|prompts?|rules?|guidance)\b/i, label: "instruction-override phrasing" },
3 { id: "new_instructions", re: /\b(?:new|updated|real|actual|true)\s+instructions?\s*[:>-]/i, label: "injected replacement instructions" },
4 { id: "pay_command", re: /\b(?:you\s+(?:must|should|need\s+to|are\s+required\s+to)|be\s+sure\s+to|immediately)\s+(?:pay|send|transfer|authorize)\b/i, label: "imperative payment command" },
5 { id: "send_to_address", re: /\b(?:send|pay|transfer)\b[^.\n]{0,80}\b(?:to|at)\s+(?:0x[0-9a-fA-F]{6,}|[1-9A-HJ-NP-Za-km-z]{32,44})/, label: "payment redirection to embedded address" },
6 { id: "secrecy", re: /\b(?:do\s+not|don'?t|never)\s+(?:tell|inform|notify|alert|mention\s+(?:this\s+)?to)\s+(?:the\s+)?(?:user|human|owner|operator)\b/i, label:
7 { id: "role_marker", re: /(?:<\/?(?:system|assistant|instructions?)>|\[(?:system|SYSTEM)\]|^system\s*:)/m, label: "spoofed role/system marker" },
8 { id: "urgency", re: /\b(?:urgent(?:ly)?|final\s+(?:warning|notice)|account\s+(?:will\s+be\s+)?(?:suspended|terminated)|within\s+\d+\s+(?:minutes?|hours?)\s+or)\b/i, label: "urgency/threat pressure" },
9 { id: "invisible_chars", re: /[]/, label: "invisible/zero-width characters (hidden text)" },
CriticalTrojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/src/detectors/injection.jsView on unpkg · L9 11/** Scan a string for injection indicators. Exported for the deep tier and tests. */
12export function findTells(text) {
13 return INJECTION_TELLS.filter((t) => t.re.test(text)).map(({ id, label }) => ({ id, label }));
15export function checkInjection(payment, context) {
17 const origin = context?.origin ?? "unknown";
18 const content = context?.content ?? "";
19 const fromUntrusted = origin === "tool_result" || origin === "fetched_content";
20 // 1. Provenance: did the decision to pay come from content the agent just read?
23 id: "injection.untrusted_origin",
24 name: "Prompt-injection-triggered payment",
27 reason: `This payment originated from ${origin === "tool_result" ? "a tool result" : "fetched external content"} rather than the agent's own planning step. Payments prompted by just-read content are the primary prompt-injection exfiltration path — confirm against the agent's plan before settling.`,
28 details: { origin, content_source_url: context?.content_source_url },