Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Injection Detection

ghyll scans conversation turns for prompt injection patterns at checkpoint creation time. This is detection only — the operator’s sandbox (Docker, bubblewrap, sandbox-exec, Firejail, Kubernetes, …) handles enforcement at the OS level.

What’s Detected

PatternExamples
instruction_override“ignore previous instructions”, “you are now”, “act as if”
sensitive_path~/.ssh/, /etc/shadow, .env, id_rsa, private_key
base64_payloadLong base64-encoded strings that decode to valid UTF-8
system_prompt_modify“modify your system prompt”, “rewrite your prompt”

Scan Scope

Only user and tool messages are scanned. Assistant (model) responses are not scanned — if the model talks about injection patterns, it’s not a false positive concern.

What Happens

When injection signals are detected:

  1. The signal is recorded in the checkpoint’s injections field
  2. A warning is displayed: checkpoint 3: injection signal in turn 7
  3. The checkpoint is still created (detection, not prevention)
  4. The surrounding sandbox blocks any actual dangerous operations at the OS level

Why Detection Only

ghyll executes tools directly (YOLO mode by design). Blocking at the ghyll level would create a false sense of security and could be bypassed. A real sandbox — the operator chooses one from the sandbox table — provides OS-level isolation that cannot be circumvented from user space, regardless of what ghyll executes. See Why ghyll for the full rationale.