Skill

rag-security

Flags prompt injection, SSRF, and context flooding in RAG pipelines ingesting docs or fetching URLs for LLM prompts. Recommends domain allowlists, truncation, delimiters, logging.

Python

security

ai-ml

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Prevents prompt injection through retrieved documents and uncontrolled content flooding

SKILL.md

Similar Skills

prompt-injection

Detects prompt injection vulnerabilities in LLM code constructing prompts from user input, system prompts, RAG pipelines, or external data. Suggests fixes with trust tiers, delimiters, input screening, and output validation.

soundcheck

Prompt Injection Defense

Provides defense techniques against prompt injection attacks including direct, indirect injections, and jailbreaks, grounded in reference patterns, sharp edges, and validations. Use when LLM security terms mentioned.

3 files

omer-metin-skills-for-antigravity-2

langchain-security-basics

1.9k

Applies LangChain security best practices: secrets management, prompt injection defense, safe tool execution, and LLM output validation for production apps.

3 tools

langchain-pack

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

RAG Pipeline Security (OWASP LLM01:2025)

What this checks

Prevents prompt injection through retrieved documents and uncontrolled content flooding into LLM context. Attacker-controlled documents can override system instructions, exfiltrate data, or manipulate model behavior when injected without guardrails.

Vulnerable patterns

prompt = system_prompt + retrieved_doc — retrieved content can override instructions
requests.get(user_url).text — arbitrary URL fetch with no domain allowlist (SSRF)
No length cap on retrieved content — token budget exhaustion or context flooding
Retrieved content mixed directly into the system prompt with no delimiter or label

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Retrieval sources are validated against a domain allowlist before fetch. Arbitrary URLs from user input or from another document's links lead to SSRF and to attacker-controlled documents landing in the context; the allowlist is the same property enforced by the ssrf skill for outbound HTTP.
Retrieved content is truncated to a fixed character or token cap before injection into the prompt. Unbounded retrieval lets a single document eat the context window — either denial of service or a vehicle for flooding instructions.
Retrieved content is wrapped in explicit delimiters that label it as untrusted data, and lives in the user role — never concatenated into the system prompt. The model is more likely to treat it as data rather than instructions when the framing is structural. See the prompt-injection skill for the trust-tier pattern.
Every retrieval is logged with source URL and content length — useful for incident response and for detecting poisoning attempts (sudden spikes in retrieved size or novel sources).

Anchor — shape, not implementation:

require(host_of(url) in ALLOWED_DOMAINS)
doc = fetch(url, timeout=5)[:MAX_CHARS]
log_retrieval(url, len(doc))
prompt = {
  system: DEV_INSTRUCTIONS,
  user:   f"<context untrusted>{doc}</context>\n<question>{query}</question>",
}

Verification

Confirm the response:

Retrieved URLs validated against an explicit domain allowlist
Content truncated to a fixed character or token limit before injection
Retrieved content wrapped in clear delimiters that mark it as untrusted
Every retrieval logged with source URL and content length

References

CWE-77 (Improper Neutralization of Special Elements in Commands)
CWE-20 (Improper Input Validation)
CWE-284 (Improper Access Control)
OWASP LLM01:2025 Prompt Injection