Shawnaldinho builds a prompt-injection defense that admits where it stops

A proposed shield against documents that try to hijack the AI - paired with an unusually honest note about what it can't do.

security

Prompt injection is when malicious instructions hide inside content the AI reads - a document, a search result, a file listing - and trick it into ignoring its real job. Shawnaldinho's proposal wraps every piece of untrusted content in markers tied to a fresh secret that changes on every request and can't be guessed, so the model is told plainly which text is data and which is a genuine instruction. Crucially, he moves the protection to where the real danger sits: not filenames, but the body text of documents and the results tool calls hand back.

The headline move is candour. It ships with an adversarial test set that tries to break the fences, plus a written threat model and a README note spelling out what the codebase still does not do - no output screening, no limits on what the AI can do inside a single turn. He calls it raising the bar against casual attacks, not stopping a determined one. It is an open proposal, not yet merged.

So what Anyone running Mike over documents from outside sources should read this - both for the defense and for the honest list of gaps it leaves open.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?