Skill

token-smuggling

Detects token smuggling and Unicode injection in code passing user input to LLMs. Recommends NFKC normalization, stripping bidirectional overrides, zero-width characters, and homoglyph handling for secure prompts.

Python

security

ai-ml

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Detects user input passed to LLMs without Unicode normalization. Attackers embed RTL

SKILL.md

Similar Skills

prompt-injection

Detects prompt injection vulnerabilities in LLM code constructing prompts from user input, system prompts, RAG pipelines, or external data. Suggests fixes with trust tiers, delimiters, input screening, and output validation.

soundcheck

detecting-ai-model-prompt-injection-attacks

5.9k

Detects prompt injection attacks in LLM inputs using regex patterns, heuristic scoring, and DeBERTa classification. Scans for direct/indirect injections before model forwarding.

3 files

cybersecurity-skills

detecting-ai-model-prompt-injection-attacks

Detects prompt injection attacks in LLM inputs using regex patterns, heuristic scoring, and DeBERTa classification. Scans user inputs for chatbots, RAG pipelines, and AI security before reaching the model.

asi

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Token Smuggling / Unicode Injection (LLM01:2025)

What this checks

Detects user input passed to LLMs without Unicode normalization. Attackers embed RTL override characters, zero-width joiners, or homoglyphs to manipulate prompt structure, bypass keyword filters, or make malicious instructions appear legitimate.

Vulnerable patterns

f"Summarize this review: {user_review}" — review may contain \u202e (RTL override) that reorders displayed instruction text
Homoglyph bypass: "раypal.com" (Cyrillic 'р') passes a blocklist that checks for "paypal.com"
Zero-width characters (\u200b, \u200c) hidden in user input that split tokens and evade content filters

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

User input is NFKC-normalized before it reaches any prompt or blocklist comparison. NFKC collapses compatibility forms and canonical equivalents, so Cyrillic homoglyphs, fullwidth digits, and ligatures fold to their ASCII counterparts. Normalization runs once, at the trust boundary — not scattered per call site.
Unicode control and invisible formatting characters are stripped after normalization. Bidirectional overrides (\u202a–\u202e), zero-width space/joiner (\u200b–\u200d), word joiner (\u2060), and BOM (\ufeff) don't survive into the prompt. These are the tokens attackers use to hide instructions or split keywords.
Security-sensitive comparisons (blocklists, keyword filters, domain allowlists) run on normalized input, not on the raw bytes. A filter that checks for "paypal.com" but the comparison runs on pre-normalized text lets раypal.com pass.
The same helper runs on every ingress path — direct user input, retrieved RAG content, tool outputs. Attackers move the payload wherever the sanitizer doesn't run.

Anchor — shape, not implementation:

def sanitize(text):
    text = unicode_normalize(text, "NFKC")              # fold homoglyphs
    text = strip(text, BIDI_AND_INVISIBLE_RANGES)        # drop zero-width, RTL
    return text

safe = sanitize(user_input)                              # before prompt / filter

Verification

User input is normalized with NFKC before inclusion in any LLM prompt
Unicode control and invisible formatting characters are stripped before prompt construction
Security-sensitive string comparisons (blocklists, keyword filters) run on normalized input

References

CWE-116 (Improper Encoding or Escaping of Output)
CWE-20 (Improper Input Validation)
OWASP LLM01:2025 Prompt Injection