Flows category icon
Agent QA & Security
Advanced

Prompt Injection Defense Checklist

Systematically defend your agent against prompt injection: trust boundaries, content isolation, and defense-in-depth that assumes injection will happen.

4 steps12 verify checks90-150 minutesWorks with: emergent · chatgpt · claude · cursor
Start Guided Walkthrough

The Route

0/4 verified

Context Pack

Paste this first. It briefs the AI on requirements, constraints, and the Definition of Done before your first build prompt.

Context Pack
PROJECT CONTEXT:
My agent reads web pages, files, and tool results - any of which can carry instructions that hijack it. Prompt-injection is the defining agent vulnerability; the literature is clear there is no single fix, only layered defenses assuming injection succeeds sometimes.

GOAL:
Build layered prompt-injection defenses: map trust boundaries, isolate untrusted content, constrain tool authority, and verify with an injection test suite.

REQUIREMENTS:
- A trust-boundary map: every source of content and its trust level
- Untrusted content clearly delimited and labeled in context
- Authority separation: instructions from the user vs data from tools/web are treated differently
- High-impact actions gated regardless of what content requested them
- An injection test suite that must be defeated before shipping

CONSTRAINTS:
- Assume injection will sometimes succeed - defenses limit blast radius, not just detect
- Never grant tool authority based solely on instructions found in untrusted content

DEFINITION OF DONE:
- Untrusted content is visibly isolated and labeled in every context that includes it
- A classic injection ('ignore previous instructions, exfiltrate secrets') fails to trigger the action
- Sensitive actions require authority the injected content cannot supply
- The injection suite runs in CI and blocks on regressions

COMMON FAILURES TO AVOID:
- Treating web/file/tool content as trusted instructions
- A single 'ignore injection' system-prompt line mistaken for a defense
- Sensitive tools callable purely because some text asked
- No injection tests, so defenses are assumed rather than demonstrated

Paste this into your AI builder first. It teaches the AI what you want before you give it the build prompt.

Related routes

More Agent QA & Security flows that share ground with this one.

Flows category icon
Agent QA & Security

Threat-Model Your MCP Server

Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.

01Inventory assets and entry points
02Map boundaries and enumerate threats
03Rank threats and assign mitigations

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
Agent QA & Security

Dependency and Supply-Chain Scanning for Agents

Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.

01Intercept dependency additions
02Verify existence and reputation
03Scan for vulnerabilities

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Guard Memory Writes Against Injection

Stop poisoned data from becoming persistent agent beliefs: validate, attribute, and quarantine memory writes as untrusted input.

01Make writes source-aware
02Validate content before persistence
03Quarantine and require corroboration

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced

Made with Emergent