Playground · Prompt Injection
Prompt Injection & Guardrails
Language models see everything — the system instructions, any retrieved content, and your question — stacked into one context window. Prompt injection is when untrusted content tries to smuggle in commands. Explore how the pieces combine and how a simple guardrail can help.
Build the context
1. System prompt (fixed — trusted)
Assembled context
This is what the model actually receives — three parts colour-coded and concatenated into one prompt.
Press “Assemble & check” to build the context.
Guardrail check
An illustrative input filter scans the untrusted content for suspicious instruction-like patterns before the model acts on it.
No check run yet.
What is prompt injection?
Untrusted text (a web page, email, document or user input) contains hidden instructions that try to override the system prompt — making the model ignore its rules or leak information.
Why it matters
Agents with tools and data access can be steered into harmful actions — sending data, calling APIs or deleting records — if they treat retrieved content as commands rather than as data.
Real defences are layered
No single filter is enough. Effective protection combines input/output filtering, privilege separation, least-privilege tool access, and human review for sensitive actions.
The core principle
Treat retrieved and user-supplied content as data, never as commands. The system prompt defines behaviour; everything else is material to reason about, not instructions to obey. For more foundations, see the Learn section.
Illustrative only. The example strings and the regex-based guardrail here are simplified for teaching. Real-world prompt injection is far more varied (obfuscation, encoding, multi-step, image/document payloads) and cannot be caught by a short pattern list. Production systems layer multiple defences and never rely on regex alone.