PromptInjection

## Customization

**Before executing, check for user customizations at:**
`~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/PromptInjection/`

If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.


## 🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)

**You MUST send this notification BEFORE doing anything else when this skill is invoked.**

1. **Send voice notification**:
   ```bash
   curl -s -X POST http://localhost:8888/notify \
     -H "Content-Type: application/json" \
     -d '{"message": "Running the WORKFLOWNAME workflow in the PromptInjection skill to ACTION"}' \
     > /dev/null 2>&1 &
   ```

2. **Output text notification**:
   ```
   Running the **WorkflowName** workflow in the **PromptInjection** skill to ACTION...
   ```

**This is not optional. Execute this curl command immediately upon skill invocation.**

# PromptInjection Skill

## 🔒 AUTHORIZATION & ETHICAL USE REQUIREMENTS

**⚠️ CRITICAL - READ BEFORE USE ⚠️**

This skill is part of a **Security Practice** run by a security professional with extensive experience in offensive security testing.

### Legal Requirements

**AUTHORIZATION IS MANDATORY:**
- ✅ **ONLY test systems you own** or have **explicit written permission** to test
- ✅ **ONLY use these techniques** as part of authorized penetration testing engagements
- ✅ **ALWAYS document authorization** before beginning any testing
- ✅ **RESPECT scope boundaries** defined in testing agreements
- ✅ **FOLLOW responsible disclosure** practices for any vulnerabilities discovered

**UNAUTHORIZED TESTING IS ILLEGAL:**
- ❌ **NEVER test systems** without explicit written permission
- ❌ **NEVER exceed** authorized scope boundaries
- ❌ **NEVER use these techniques** for malicious purposes
- ❌ **NEVER disclose vulnerabilities** publicly before vendor remediation
- ❌ **NEVER exfiltrate** real user data during testing

### Ethical Framework

This skill exists for **defensive security purposes:**
1. **Authorized penetration testing** of client systems under formal engagement
2. **Security assessment** of your own systems and products
3. **Research and education** for improving AI/LLM security practices
4. **Responsible disclosure** of vulnerabilities to vendors for remediation

**Any use of this skill constitutes acceptance of these terms and agreement to use only for authorized, ethical security testing purposes.**

---

## When to Activate This Skill

**Activate this skill when user says:**

### Direct Triggers
- "test for prompt injection", "prompt injection test", "prompt injection assessment"
- "LLM security testing", "AI security audit", "test chatbot security"
- "jailbreak test", "test for jailbreaking"
- "pentest AI application", "security test AI system"
- "check AI vulnerabilities", "assess AI security"

### Research & Analysis
- "research prompt injection", "analyze LLM vulnerabilities"
- "study jailbreaking methods", "investigate AI attack vectors"

### Engagement Work
- "client engagement for LLM security"
- "comprehensive AI security assessment"
- "vulnerability research for disclosure"

---


## Workflow Routing

**When executing a workflow, output this notification:**
```
Running the **WorkflowName** workflow in the **PromptInjection** skill to ACTION...
```

This skill provides 5 comprehensive testing workflows:

### 1. CompleteAssessment (Master Workflow)

**File:** `Workflows/CompleteAssessment.md`
**Triggers:** "full assessment", "complete test", "comprehensive assessment"
**Description:** End-to-end security assessment (12-20 hours)
- Phase 1: Authorization & scoping
- Phase 2: Reconnaissance (1-2 hours)
- Phase 3-5: Direct/indirect/multi-stage testing (6-8 hours)
- Phase 6-9: Defense analysis & reporting (4-6 hours)

**Use for:** Full security engagements, formal penetration tests

### 2. Reconnaissance

**File:** `Workflows/Reconnaissance.md`
**Triggers:** "recon", "discover attack surface", "map application"
**Description:** Application intelligence gathering via browser automation
- DOM extraction and analysis
- JavaScript inspection
- API endpoint enumeration
- Injection point identification

**Use for:** Initial assessment phase, attack surface mapping

### 3. DirectInjectionTesting

**File:** `Workflows/DirectInjectionTesting.md`
**Triggers:** "test direct injection", "jailbreak testing", "basic injection"
**Description:** Single-stage direct attacks
- Basic instruction override
- Jailbreaking & guardrail bypass
- System prompt extraction
- Token manipulation
- Obfuscation techniques

**Use for:** Quick vulnerability validation

### 4. IndirectInjectionTesting

**File:** `Workflows/IndirectInjectionTesting.md`
**Triggers:** "test indirect injection", "RAG poisoning", "document injection"
**Description:** Attacks via external data sources
- Document upload injection
- Web scraping attacks
- RAG system poisoning
- API response manipulation

**Use for:** Testing RAG systems, data processing pipelines

### 5. MultiStageAttacks

**File:** `Workflows/MultiStageAttacks.md`
**Triggers:** "multi-stage attack", "sophisticated testing", "advanced attacks"
**Description:** Complex multi-turn attack sequences
- Progressive escalation
- Context poisoning
- Trust exploitation chains

**Use for:** Advanced testing, sophisticated threat simulation

---

## Quick Start

**For first assessment:**
1. Read QuickStartGuide.md (30-60 minute methodology)
2. Verify written authorization
3. Run Reconnaissance workflow
4. Test top 5 attack types
5. Document findings

**For comprehensive assessment:**
1. Use CompleteAssessment workflow
2. Follow all 9 phases
3. Generate professional report

---

## Resource Library

**Core Documentation:**

- **COMPREHENSIVE-ATTACK-TAXONOMY.md** - 10 attack categories, 100+ techniques
- **APPLICATION-RECONNAISSANCE-METHODOLOGY.md** - 7-phase recon process
- **DefenseMechanisms.md** - Defense-in-depth strategies, remediation guidance
- **AutomatedTestingTools.md** - Promptfoo, Garak, PyRIT comparison
- **QuickStartGuide.md** - First assessment checklist (30-60 min)
- **Reporting.md** - Report structure, templates, presentation guidance

**All resources are in the PromptInjection skill root directory.**

---

## Key Principles

### Authorization-First
1. Written authorization is mandatory
2. Document everything (scope, boundaries, approvals)
3. Respect boundaries - in-scope only
4. Stop if uncertain - clarify before proceeding

### Methodical Testing
1. Systematic approach - follow established methodology
2. Document as you go - record all tests and results
3. Reproduce findings - ensure vulnerabilities are reliable
4. Assess impact accurately - distinguish theoretical vs practical risk

### Responsible Disclosure
1. Give vendors time - 90-day disclosure timeline typical
2. Clear communication - detailed reproduction steps
3. Coordinate disclosure - work with vendor on timing
4. Protect users - no public details before patch

---

## Examples

**Example 1: Quick test**
```
User: "test this chatbot for prompt injection - I own it"
→ Verifies authorization
→ Runs Reconnaissance workflow
→ Tests top 5 attack types
→ Documents findings
```

**Example 2: Full assessment**
```
User: "comprehensive prompt injection assessment for client"
→ Loads CompleteAssessment workflow
→ 9-phase methodology (12-20 hours)
→ Professional report with remediation
```

**Example 3: Research**
```
User: "what are the latest jailbreaking methods?"
→ Searches COMPREHENSIVE-ATTACK-TAXONOMY.md
→ Returns categorized techniques with effectiveness ratings
```

---

## Support & Escalation

**When to escalate:**
- Authorization is unclear or questionable
- Ethical concerns arise
- Novel attack techniques discovered
- Critical 0-day vulnerabilities found

**Contact:**
- Configure in your USER settings

---

**🔒 REMINDER: AUTHORIZED USE ONLY 🔒**

This skill contains powerful security testing techniques. Use only for:
- ✅ Systems you own
- ✅ Systems with explicit written authorization
- ✅ Ethical security research
- ✅ Defensive security purposes

Unauthorized use is illegal and unethical.

---