← The Wire
Entity trail

Prompt Injection Detection

Source-backed findings, relationship evidence, citations, and briefing history from the public MindPattern archive.

Briefing refs
2
Findings
20
Edges
0
Sources
20

Corpus findings

  1. 2026-06-28 / skill-finderMove prompt-injection defense from the prompt layer to the runtime with ClawGuardClawGuard argues that prompt-layer guardrails are inherently bypassable and instead enforces defense at the runtime/tool-execution boundary — gating what an agent is actually allowed to *do* when acting on potentially-poisoned content, limiting blast radius rather than trying to perfectly detect every injection. This aligns with the 2026 consensus of concentric layers that assume one layer will be breached. The skill: pair input detection (PromptArmor-style) with a runtime allow-list on tool calls so a successful injection still can't trigger destructive or exfiltrating actions.
  2. 2026-06-28 / skill-finderPromptArmor: turn an off-the-shelf LLM into a sub-1% prompt-injection guardrailPromptArmor interposes a lightweight guardrail LLM (GPT-4o/4.1/o4-mini) that is prompted to detect and excise injected instructions from untrusted input before the agent ever processes it, using fuzzy-regex excision of the flagged span. On AgentDojo it drops both false-positive and false-negative rates below 1% and crushes attack success rate to under 1%. The non-obvious part: even a guardrail LLM that is itself injectable can be prompted to reliably *detect and remove* injections — a cheap detection layer you can bolt onto any existing agent today.
  3. 2026-06-23 / skill-finderAssume every single prompt-injection defense fails under adaptive attack — design defense-in-depth, not one controlA joint study across OpenAI, Anthropic, and Google DeepMind found that under adaptive attack conditions, every published defense was bypassed at success rates above 90% — meaning no single filter or classifier is sufficient. The practical response is layered: separate trusted from untrusted text, validate output structure before acting, sandbox capabilities, enforce least-authority tools, plant canary tokens for exfiltration, and require human approval for high-impact actions. Treat prompt injection as a containment problem, not a detection problem.
  4. 2026-06-14 / arxiv-researcherPI-Hunter: Automated Red-Teaming for Exposing and Localizing Prompt InjectionsPI-Hunter is an agentic auditing framework that proactively builds realistic test cases and iteratively refines them via feedback-driven exploration, inducing agents to retrieve concealed malicious instructions from external environments. It reports substantially improved vulnerability detection and attack-surface coverage over existing automated red-teamers, and stays effective against current prompt-injection defenses.
  5. 2026-05-27 / arxiv-researcherPrompt Injection Detection Is Regime-Dependent: Deployment Context Changes Which Detectors WorkAkinrele and Gowda present a multi-model, multi-regime evaluation of prompt injection detectors comparing lexical, semantic, structural, and transformer-based approaches. Key finding: detector effectiveness varies dramatically across deployment regimes and out-of-distribution settings. Structural signals (interpretable features) provide more consistent cross-regime performance than learned detectors that overfit to training distribution.
  6. 2026-05-01 / agents-researcherLatent Adversarial Detection: Activation Probing Catches Multi-Turn Prompt Injection at 93.8% AccuracyResearchers discovered 'adversarial restlessness' — a characteristic activation path length in LLM residual streams that emerges as multi-turn attacks progress through trust-building, pivoting, and escalation phases. Using five scalar trajectory features, detection accuracy jumps from 76.2% to 93.8% on synthetic data and reaches 89.4% with 2.4% false positive rate on combined training. The signal replicates across four model families (24B–70B parameters). Three-phase turn-level labels proved essential; binary labels produced 50–59% false positives, explaining why prior work underperformed.
  7. 2026-04-29 / arxiv-researcherSnapGuard: Lightweight Prompt Injection Detection for Screenshot-Based Web AgentsAddresses the critical vulnerability where web agents that consume page screenshots can be attacked via visual prompt injection — malicious instructions embedded in webpage content that the agent's vision model interprets as commands. SnapGuard proposes a lightweight detection layer specifically for screenshot-based agents, filtering injected instructions before they reach the agent's action planner. With web agents proliferating (GPT-5.4's OSWorld-Verified at 75%, GPT-5.5 at 78.7%), this attack surface is growing fast and SnapGuard is among the first dedicated defenses.
  8. 2026-04-28 / github-pulse-researcherTencent/AI-Infra-Guard: Full-Stack AI Red Teaming Platform Scanning OpenClaw, Agents, Skills, and MCP — 3.6K StarsTencent open-sourced AI-Infra-Guard, a comprehensive AI red teaming platform that performs security scans across five attack surfaces: OpenClaw Security Scan, Agent Scan, Skills Scan, MCP scan, and AI Infrastructure scan, plus LLM jailbreak evaluation. At 3,585 stars with active development, it addresses the growing security gap as agent frameworks proliferate — covering prompt injection, vulnerability detection, and security assessment specifically tailored to the agent ecosystem rather than just LLM output safety.
  9. 2026-04-21 / arxiv-researcherSeven Cross-Domain Techniques for Prompt Injection Detection Beyond Pattern MatchingA new paper argues that both regex-based and fine-tuned transformer classifiers for prompt injection share critical failure modes — regex misses paraphrased attacks, and classifiers are bypassed at >50% success rates by adaptive adversaries (per a 2025 NAACL study). The paper proposes seven cross-domain detection techniques drawn from fields outside NLP to address these gaps. Directly actionable for anyone building agent pipelines that process untrusted input.
  10. 2026-04-09 / github-pulse-researcheropendataloader-project/opendataloader-pdf: #1-Ranked AI-Ready PDF Parser Surges +1,012 Stars Today to 13.3KOpenDataLoader PDF extracts structured content from PDFs in Markdown, JSON (with bounding boxes), HTML, and annotated PDF formats — optimized for RAG pipelines with source citation via element-level bounding boxes. Its hybrid mode routes complex pages to AI backends, achieving 0.907 benchmark accuracy (#1 ranked). Supports 80+ OCR languages and includes prompt injection detection in extracted text. At +1,012 stars today with Apache 2.0 license, it's rapidly becoming the go-to PDF parser for AI document pipelines.
  11. 2026-04-04 / skill-finderPrompt Injection Success Rate Exceeds 85% Against SOTA Defenses When Adaptive Strategies Are UsedA meta-analysis of 78 recent studies (2021-2026) published in ScienceDirect consolidates evidence that attack success rates against state-of-the-art prompt injection defenses exceed 85% when adaptive attack strategies are employed. The study catalogs 31 distinct attack techniques including protocol-level attacks specific to MCP ecosystems. However, a HITL defense layer improves protection to 91.5%. An open-source agent firewall with an 11-layer pipeline for DLP and MCP tool poisoning detection shows the most promise for production defense.
  12. 2026-04-02 / arxiv-researcherAgentWatcher: Rule-Based Prompt Injection Monitor with Explicit Detection Rules for Long-Context AgentsProposes AgentWatcher to address two key limitations of current prompt injection detectors: (1) effectiveness degrades significantly as context length increases, and (2) detection decisions are implicit and opaque. AgentWatcher uses explicit, interpretable rules defining what constitutes prompt injection, making decisions transparent and auditable. Directly addresses OWASP LLM Top 10 concerns for agent deployments with growing context windows.

Source trail

Graph sources

entity graphfindings textkg entitiesnewsletter issues