A black-box prompt injection test harness for LLMs, mapped to the OWASP LLM Top 10.
Fire structured attack payloads at any OpenAI, Anthropic, or local Ollama model, score responses automatically, and generate HTML and PDF security reports.
Prompt injection is the number one risk in the OWASP LLM Top 10 (LLM01). There is no standard open-source tool for systematically testing LLMs against a curated payload catalog the way Nessus tests network services. This project fills that gap.
payloads/catalog/*.yaml --> payloads/loader.py --> runner/runner.py
/ \
openai_adapter anthropic_adapter ollama_adapter
\ /
scoring/engine.py
|
reporting/ (HTML + PDF) + MLflow
| ID | Category | Payloads |
|---|---|---|
| LLM01 | Prompt Injection | 6 |
| LLM02 | Insecure Output Handling | 6 |
| LLM06 | Sensitive Information Disclosure | 6 |
| LLM08 | Excessive Agency | 6 |
Requirements: Python 3.11+, an OpenAI or Anthropic API key.
git clone https://github.com/DodiBadshah/py-prompt-injection.git
cd py-prompt-injection
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
cp .env.example .envRun all payloads against Claude Haiku:
.venv\Scripts\python.exe -m llm_probe.cli.main --model claude-haiku-4-5Run a single OWASP category:
.venv\Scripts\python.exe -m llm_probe.cli.main --model claude-haiku-4-5 --owasp LLM01No API key required. Runs entirely on your machine.
# Install Ollama from https://ollama.com
ollama pull phi3:mini
ollama pull mistral:7bRun the full suite against a local model:
.venv\Scripts\python.exe -m llm_probe.cli.main --model phi3:mini
.venv\Scripts\python.exe -m llm_probe.cli.main --model mistral:7bSupported local models: phi3:mini, mistral:7b, llama3.2, gemma2:2b
Output: HTML reports written to reports/.
Running 24 payloads against ollama/phi3:mini
Results: 24/24 payloads passed.
Report written to reports/report-20260605-051442-phi3-mini.html
llm_probe/
adapters/ API adapters (OpenAI, Anthropic, Ollama)
core/ Config, logging, exceptions
payloads/ YAML catalog + loader
reporting/ HTML/PDF renderer
runner/ Orchestration + MLflow
schemas/ Pydantic models
scoring/ Heuristics + scoring engine
cli/ Typer CLI entrypoint
tests/ pytest suite (40 tests)
.github/workflows/ CI pipeline
docs/ MkDocs source
pytest # run all 40 tests
pytest -v # verboseCI runs automatically on every push via GitHub Actions.
This project handles LLM API keys and executes prompt injection payloads against live models. The following checks were run against the codebase:
bandit- 0 issues across 892 lines of codepip-audit- no known CVEs in any dependencydetect-secrets- no credentials or secrets detected- YAML loading uses
safe_loadthroughout, preventing arbitrary code execution .envverified absent from all git history
This project is Phase 1 of a four-phase LLM security portfolio.
| Phase | Repository | OWASP Coverage | Status |
|---|---|---|---|
| Phase 1 | py-prompt-injection | LLM01, LLM02, LLM06, LLM08 (2023-24) | Complete |
| Phase 2 | py-prompt-injection-2025 | LLM01, LLM02, LLM05, LLM06, LLM07 (2025) | Complete |
| Phase 3 | py-rag-security | LLM03, LLM09 | Planned |
| Phase 4 | py-llm-load | LLM04, LLM10 | Planned |
Target repository: github.com/DodiBadshah/py-prompt-injection-2025
Same black-box harness architecture as Phase 1, extended to cover OWASP LLM Top 10 2025 categories with LangChain orchestration replacing raw API calls.
Target repository: github.com/DodiBadshah/py-rag-security
Production RAG pipeline over compliance document corpora with hybrid retrieval, Cohere reranking, LLM-as-judge scoring, and Azure Container Apps deployment.
- LLM03 - Training Data Poisoning: Injects manipulated documents into the retrieval store and measures whether the model surfaces poisoned content
- LLM09 - Misinformation: Tests whether grounded RAG responses can be manipulated to produce false but confident-sounding output
Target repository: github.com/DodiBadshah/py-llm-load
Adds load testing infrastructure to cover the two remaining OWASP categories that require concurrency and resource monitoring. Completes full OWASP LLM Top 10 coverage across the suite.
- LLM04 - Model Denial of Service
- LLM10 - Unbounded Consumption
MIT