Free client-side tool

Prompt Injection Risk Checklist

Score an LLM application for prompt-injection exposure and get prioritized defensive recommendations mapped to OWASP LLM risks.

Updated 2026-07-06

Local only. This checklist runs in your browser. It does not collect, upload, or store your answers.
Inputs
Authority
Data exposure
Operations

How to use the score

The checklist looks for common prompt-injection amplifiers: untrusted content, retrieval permissions, tool authority, free-form parameters, missing approval, prompt-held secrets, unsafe output rendering, and weak operational coverage. A high score means the architecture deserves attention before more prompt wording is added.

Treat the result as a triage aid. The next step is a real threat model: map inputs, data, tools, users, logs, and approvals. The threat model generator can turn the same architecture into a markdown review note.

Risk checklist FAQ

Does this checklist send my architecture details anywhere?

No. The checklist is client-side JavaScript. It reads checkbox state in your browser and does not send data to a server.

Is a low score proof that an LLM app is safe?

No. A low score means this checklist did not see common high-risk conditions. Teams should still threat-model the exact product flow and test it under authorization.

Why does tool access raise the score so much?

Prompt injection becomes more serious when model output can affect privileged tools, sensitive data, external messages, or irreversible actions.