Skip to content
Flows
Prompt Injection Defense Checklist
Agent QA & Security90-150 minutes
0/4 steps0%

Step 1 of 4

Map trust boundaries

You cannot isolate untrusted content you have not identified.

Prompt capsule

Map every content source entering the agent's context and assign trust. TRUSTED: the system prompt, harness-generated content. SEMI-TRUSTED: the direct user's messages (the user is authorized but can be socially engineered or malicious). UNTRUSTED: everything the agent reads or fetches - file contents, web pages, tool results, sub-agent outputs, API responses, and crucially any of these that originated from third parties. For each source, note what actions its content could try to trigger and the worst-case if it succeeds. Produce the trust-boundary map and rank sources by injection risk (reach x impact). Highlight the dangerous combination: untrusted content plus authority to call high-impact tools.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

A trust-boundary map ranking every source by injection risk.

Should not happen

  • Treating web/file/tool content as trusted instructions
  • A single 'ignore injection' system-prompt line mistaken for a defense
  • Sensitive tools callable purely because some text asked
  • No injection tests, so defenses are assumed rather than demonstrated

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !Treating web/file/tool content as trusted instructions
  • !A single 'ignore injection' system-prompt line mistaken for a defense
  • !Sensitive tools callable purely because some text asked
  • !No injection tests, so defenses are assumed rather than demonstrated

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

Everything got marked trusted. Re-apply the test: if the content's author is not you or the harness, it is untrusted - a file the user wrote last week can still contain a payload the user forgot about.

Your notes for this step