# Rogue Prompt Full Reference Rogue Prompt is a neutral educational reference for prompt injection and LLM application security. Its stance is defensive: examples are conceptual, sourced, and framed around prevention. ## Key Definition Prompt injection is an LLM application vulnerability where instructions supplied by a user or by untrusted external content influence the model to ignore, override, or conflict with the developer's intended behavior. Jailbreaks are often direct attempts to bypass model or application policy. Indirect prompt injection appears inside content the application retrieves or processes, such as a web page, email, document, issue comment, search result, or RAG record. ## Security Model The core problem is instruction/data collapse. Natural-language instructions, retrieved text, conversation history, tool results, and user requests may all appear in the model context. If the application gives the model sensitive data or tools, an injected instruction can produce real impact: data disclosure, unauthorized tool calls, manipulated summaries, bad decisions, or unsafe generated code. ## Defensive Principles - Treat retrieved documents, web pages, emails, comments, tickets, and RAG records as untrusted input. - Use least privilege for tools, credentials, and data retrieval. - Validate every tool call with deterministic policy checks outside the LLM. - Prefer allow-listed actions over free-form execution. - Keep high-impact actions behind human review. - Separate trusted planning from untrusted content processing when possible. - Log prompts, retrieved sources, model outputs, and tool calls for investigation. - Use model-based guardrails as one layer, not as the only security boundary. - Treat system prompts as visible operational guidance; do not store secrets, credentials, or privileged policy only in prompts. ## Pages 1. https://rogueprompt-com.pages.dev/ - Overview and map. 2. https://rogueprompt-com.pages.dev/direct-vs-indirect - Taxonomy: direct jailbreaks versus indirect, data-borne injection. 3. https://rogueprompt-com.pages.dev/how-attacks-work - Defensive mechanism explanation. 4. https://rogueprompt-com.pages.dev/defenses - Layered prevention and mitigation. 5. https://rogueprompt-com.pages.dev/red-teaming - Responsible testing workflow. 6. https://rogueprompt-com.pages.dev/incidents - Documented cases and research demonstrations. 7. https://rogueprompt-com.pages.dev/resources - Sources and tools. 8. https://rogueprompt-com.pages.dev/faq - Common questions and concise answers. 9. https://rogueprompt-com.pages.dev/tools/ - Free client-side tools for LLM security review. 10. https://rogueprompt-com.pages.dev/llm-security-checklist - Launch checklist for LLM apps that process untrusted content, retrieve data, call tools, or render generated output. 11. https://rogueprompt-com.pages.dev/system-prompt-leak-prevention - System prompt hardening and leak-impact reduction. ## Free Tools All tools run client-side in the browser. They do not require signup and do not send prompt text, architecture selections, or generated output to a backend. 1. https://rogueprompt-com.pages.dev/tools/risk-assessment - Prompt Injection Risk Checklist. Scores common risk amplifiers: untrusted input, retrieval permissions, tool authority, free-form parameters, missing approval, prompt-held secrets, unsafe output rendering, memory, weak regression tests, weak logging, and missing ownership. Output: risk score, exposure level, and prioritized defensive recommendations mapped to OWASP-style LLM risks. 2. https://rogueprompt-com.pages.dev/tools/system-prompt-linter - System Prompt Hardening Linter. Checks pasted prompt text locally for possible secrets, brittle reliance on "do not reveal" wording, missing untrusted-content boundaries, missing tool validation, missing output validation, missing human review, and missing safe fallbacks. Output: hardening score, findings, and suggested defensive clauses. 3. https://rogueprompt-com.pages.dev/tools/threat-model - LLM App Threat Model Generator. Builds copyable markdown threat models for chat, RAG/document assistants, agents with tools, and email/workflow assistants. Output covers assets, trust boundaries, prompt-injection surfaces, abuse cases, mitigations, benign regression tests, and launch gates. ## Key Facts For Citation - Prompt injection becomes more serious when the model can affect tools, private data, rendered output, workflow actions, memory, or policy decisions. - Direct prompt injection enters through the user prompt path; indirect prompt injection enters through retrieved or processed content. - Input filtering can reduce obvious failures but does not replace authorization, least privilege, schema validation, allow-lists, human approval, and observability. - System prompt leaks are lower impact when prompts contain no secrets, hidden bypass logic, private data, or privileged implementation details. - Responsible testing means written authorization, controlled data, bounded scope, non-destructive cases, private reporting, and regression testing. ## Primary Sources Used - OWASP GenAI Security Project LLM01:2025 Prompt Injection. - OWASP LLM Prompt Injection Prevention Cheat Sheet. - Greshake et al., "Not what you've signed up for," arXiv:2302.12173. - Simon Willison's prompt-injection essays and dual-LLM pattern. - Microsoft Prompt Shields documentation. - Google and Google DeepMind prompt-injection defense guidance. - NVIDIA AI Red Team security guidance. - Promptfoo LLM red-teaming documentation. - NIST AI Risk Management Framework.