Add ML-based prompt injection detection #5623
Merged
+784
−372
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR standardizes security configuration keys from snake_case to UPPER_CASE convention and introduces ML-based prompt injection detection using BERT models through a new Gondola provider. The changes enable more accurate security threat detection while maintaining backward compatibility through pattern-based scanning as a fallback.
Key changes:
- Configuration key standardization:
security_prompt_*→SECURITY_PROMPT_* - New ML detection infrastructure with Gondola provider for BERT-based model inference
- Enhanced scanner to combine pattern-based and ML-based detection results
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/desktop/src/utils/configUtils.ts | Updated config labels to use new UPPER_CASE keys and added ML detection settings |
| ui/desktop/src/components/settings/security/SecurityToggle.tsx | Added ML detection toggle UI with model selection dropdown |
| documentation/docs/guides/security/prompt-injection-detection.md | Updated config examples to use new UPPER_CASE keys |
| documentation/docs/guides/config-files.md | Updated configuration reference table with new ML detection settings and standardized keys |
| crates/goose/src/security/scanner.rs | Refactored to support optional ML detection, enhanced conversation context scanning, and simplified tool content extraction |
| crates/goose/src/security/prompt_ml_detector.rs | New ML detector implementation with model registry and Gondola provider integration |
| crates/goose/src/security/mod.rs | Updated to initialize scanner with ML detection when enabled and handle fallback scenarios |
| crates/goose/src/providers/mod.rs | Added gondola module to provider list |
| crates/goose/src/providers/gondola.rs | New Gondola provider implementation for batch inference with BERT models |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
dorien-koelemeijer
force-pushed
the
feat/ml-based-prompt-injection-detection
branch
from
1f5fd06 to
9fe268c
Compare
dorien-koelemeijer
force-pushed
the
feat/ml-based-prompt-injection-detection
branch
from
459eb56 to
a0d6d5c
Compare
dorien-koelemeijer
changed the title
dorien-koelemeijer
force-pushed
the
feat/ml-based-prompt-injection-detection
branch
from
eff6fbe to
ba5feee
Compare
dorien-koelemeijer
force-pushed
the
feat/ml-based-prompt-injection-detection
branch
from
ef65a16 to
fce20ae
Compare
DOsinga
approved these changes
Dec 16, 2025
|
|
||
| ## Overview | ||
|
|
||
| Goose requires a classification endpoint that can analyze text and return a score indicating the likelihood of prompt injection. This API follows the **HuggingFace Inference API format** for text classification, making it compatible with HuggingFace Inference Endpoints to allow for easy usage in OSS goose. |
Collaborator
There was a problem hiding this comment.
yeah, I understand, but we should write the documentation for the OSS people. I would just drop anything after ", making"
Comment on lines
53
to
56
| :::info Automatic Multi-Model Configuration | ||
| The experimental [AutoPilot](/docs/guides/multi-model/autopilot) feature provides intelligent, context-aware model switching. Configure models for different roles using the `x-advanced-models` setting. | ||
| ::: | ||
|
|
There was a problem hiding this comment.
The info box about AutoPilot configuration appears to be incorrectly placed here, as it's unrelated to the security configuration settings being documented. This content should either be moved to the appropriate section about multi-model configuration or removed from this location.
Suggested change
| :::info Automatic Multi-Model Configuration | |
| The experimental [AutoPilot](/docs/guides/multi-model/autopilot) feature provides intelligent, context-aware model switching. Configure models for different roles using the `x-advanced-models` setting. | |
| ::: |
Comment on lines
+157
to
+163
| let max_confidence = stream::iter(user_messages) | ||
| .map(|msg| async move { self.scan_with_classifier(&msg).await }) | ||
| .buffer_unordered(ML_SCAN_CONCURRENCY) | ||
| .fold(0.0_f32, |acc, result| async move { | ||
| result.unwrap_or(0.0).max(acc) | ||
| }) | ||
| .await; |
There was a problem hiding this comment.
The concurrent message scanning could create a performance bottleneck when processing 10 user messages with concurrent HTTP requests. The ML_SCAN_CONCURRENCY of 3 means up to 3 simultaneous HTTP requests, but if each request takes 5 seconds (the default timeout), this could add up to 17 seconds in the worst case for tool execution. Consider adding a circuit breaker or reducing the timeout for conversation scans specifically, or making the scan asynchronous to avoid blocking tool execution.
…that is evaluated for potential prompt injection
| | `otel_exporter_otlp_timeout` | Export timeout in milliseconds for [observability](/docs/guides/environment-variables#opentelemetry-protocol-otlp) | Integer (ms) | 10000 | No | | ||
| | `SECURITY_PROMPT_ENABLED` | Enable [prompt injection detection](/docs/guides/security/prompt-injection-detection) to identify potentially harmful commands | true/false | false | No | | ||
| | `SECURITY_PROMPT_THRESHOLD` | Sensitivity threshold for [prompt injection detection](/docs/guides/security/prompt-injection-detection) (higher = stricter) | Float between 0.01 and 1.0 | 0.7 | No | | ||
| | `SECURITY_PROMPT_ENABLED` | Enable prompt injection detection to identify potentially harmful commands | true/false | false | No | |
Contributor
There was a problem hiding this comment.
@dorien-koelemeijer Can you please revert the changes to this existing topic for now? Otherwise the docs will go out before this feature is available in a release.
We'll add them back in after the feature is released (except the note below because autopilot has been removed)
Collaborator
Author
There was a problem hiding this comment.
Thanks for the comments! Do you mean it's best to revert all changes to this file for now?
| @@ -0,0 +1,89 @@ | |||
| # Classification API Specification | |||
Contributor
There was a problem hiding this comment.
Suggested change
| # Classification API Specification | |
| --- | |
| title: Classification API Specification | |
| unlisted: true | |
| --- |
| unlisted: true | ||
| --- | ||
|
|
||
| This document defines the API that Goose uses for ML-based prompt injection detection. |
There was a problem hiding this comment.
The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.
Comment on lines
+71
to
+72
| **Goose's Usage:** | ||
| - Goose looks for the label with the highest score |
There was a problem hiding this comment.
The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.
| **Goose's Usage:** | ||
| - Goose looks for the label with the highest score | ||
| - If the top label is "INJECTION" (or "LABEL_1"), the score is used as the injection confidence | ||
| - If the top label is "SAFE" (or "LABEL_0"), Goose uses `1.0 - score` as the injection confidence |
There was a problem hiding this comment.
The reference to "Goose" should be lowercase "goose" according to the project naming convention documented in HOWTOAI.md.
dorien-koelemeijer
deleted the
feat/ml-based-prompt-injection-detection
branch
zanesq
added a commit
that referenced
this pull request
Jan 8, 2026
* 'main' of github.com:block/goose: Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) fix: prevent infinite loop of tool-input notifications in MCP Apps (#6374)
michaelneale
added a commit
that referenced
this pull request
Jan 8, 2026
* main: (31 commits) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) fix: prevent infinite loop of tool-input notifications in MCP Apps (#6374) fix: Show platform-specific keyboard shortcuts in UI (#6323) fix: we load extensions when agent starts so don't do it up front (#6350) docs: credit HumanLayer in RPI tutorial (#6365) Blog: Goose Lands MCP Apps (#6172) Claude 3.7 is out. we had some harcoded stuff (#6197) ...
wpfleger96
added a commit
that referenced
this pull request
Jan 9, 2026
* main: (89 commits) fix(google): treat signed text as regular content in streaming (#6400) Add frameDomains and baseUriDomains CSP support for MCP Apps (#6399) fix(ci): add missing dependencies to openapi-schema-check job (#6367) feat: http proxy support Add support for changing working dir and extensions in same window/session (#6057) Sort keys in canonical models (#6403) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) ...
wpfleger96
added a commit
that referenced
this pull request
Jan 9, 2026
* main: (89 commits) fix(google): treat signed text as regular content in streaming (#6400) Add frameDomains and baseUriDomains CSP support for MCP Apps (#6399) fix(ci): add missing dependencies to openapi-schema-check job (#6367) feat: http proxy support Add support for changing working dir and extensions in same window/session (#6057) Sort keys in canonical models (#6403) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) ...
fbalicchia
pushed a commit
to fbalicchia/goose
that referenced
this pull request
Jan 13, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds BERT model prompt injection evaluation alongside the existing pattern-based approach.
Context
https://docs.google.com/document/d/1GNvriNWLAaJUMpWE1heBapxFshQEED5ZYfn1ixJvGCE/edit?tab=t.0#heading=h.rj4p6llxqvrq
Key Changes
BERTin the name of the variables so we can create a follow-up PR to also allow LLM-as-a-judge type prompt injection detection by re-using people's providers, and hopefully prevent confusing names of variables.Planned follow-up PRs / Related PRs
Type of Change
Screenshots of changes
Internal:
External:
