Injection Detection
ghyll scans conversation turns for prompt injection patterns at checkpoint creation time. This is detection only — the operator’s sandbox (Docker, bubblewrap, sandbox-exec, Firejail, Kubernetes, …) handles enforcement at the OS level.
What’s Detected
| Pattern | Examples |
|---|---|
instruction_override | “ignore previous instructions”, “you are now”, “act as if” |
sensitive_path | ~/.ssh/, /etc/shadow, .env, id_rsa, private_key |
base64_payload | Long base64-encoded strings that decode to valid UTF-8 |
system_prompt_modify | “modify your system prompt”, “rewrite your prompt” |
Scan Scope
Only user and tool messages are scanned. Assistant (model) responses are not scanned — if the model talks about injection patterns, it’s not a false positive concern.
What Happens
When injection signals are detected:
- The signal is recorded in the checkpoint’s
injectionsfield - A warning is displayed:
checkpoint 3: injection signal in turn 7 - The checkpoint is still created (detection, not prevention)
- The surrounding sandbox blocks any actual dangerous operations at the OS level
Why Detection Only
ghyll executes tools directly (YOLO mode by design). Blocking at the ghyll level would create a false sense of security and could be bypassed. A real sandbox — the operator chooses one from the sandbox table — provides OS-level isolation that cannot be circumvented from user space, regardless of what ghyll executes. See Why ghyll for the full rationale.