Update confidence levels prompt injection detection to reduce false positive rates #6390
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces false positive rates in the prompt injection detection system by adjusting confidence scores and risk level classifications. The changes lower confidence thresholds across High, Medium, and Low risk levels by 10 percentage points each, and downgrade three remote code execution patterns from Critical to High risk level.
Key changes:
- Reduced confidence scores for High (0.85→0.75), Medium (0.70→0.60), and Low (0.55→0.45) risk levels
- Downgraded bash_process_substitution, python_remote_exec, and powershell_download_exec from Critical to High
- Maintained Critical status for truly destructive operations like filesystem destruction and privilege escalation
michaelneale
approved these changes
Jan 8, 2026
Signed-off-by: Dorien Koelemeijer <[email protected]>
dorien-koelemeijer
force-pushed
the
fix/update-confidence-levels-prompt-injection
branch
from
1d4100e to
2c0d390
Compare
shellz-n-stuff
approved these changes
Jan 8, 2026
| RiskLevel::High => 0.85, | ||
| RiskLevel::Medium => 0.70, | ||
| RiskLevel::Low => 0.55, | ||
| RiskLevel::High => 0.75, |
There was a problem hiding this comment.
The new threshold of 0.8 is higher than the High risk level confidence score of 0.75. This means High-level threats (including rm -rf /, PowerShell remote execution, data exfiltration, and many other dangerous patterns) will NOT trigger the security prompt by default. Only Critical-level threats with 0.95 confidence will be detected. This significantly weakens security protection and contradicts the goal of reducing false positives while maintaining threat detection.
Suggested change
| RiskLevel::High => 0.75, | |
| RiskLevel::High => 0.85, |
dorien-koelemeijer
deleted the
fix/update-confidence-levels-prompt-injection
branch
zanesq
added a commit
that referenced
this pull request
Jan 8, 2026
* 'main' of github.com:block/goose: Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) fix: prevent infinite loop of tool-input notifications in MCP Apps (#6374)
michaelneale
added a commit
that referenced
this pull request
Jan 8, 2026
* main: (31 commits) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) fix: prevent infinite loop of tool-input notifications in MCP Apps (#6374) fix: Show platform-specific keyboard shortcuts in UI (#6323) fix: we load extensions when agent starts so don't do it up front (#6350) docs: credit HumanLayer in RPI tutorial (#6365) Blog: Goose Lands MCP Apps (#6172) Claude 3.7 is out. we had some harcoded stuff (#6197) ...
wpfleger96
added a commit
that referenced
this pull request
Jan 9, 2026
* main: (89 commits) fix(google): treat signed text as regular content in streaming (#6400) Add frameDomains and baseUriDomains CSP support for MCP Apps (#6399) fix(ci): add missing dependencies to openapi-schema-check job (#6367) feat: http proxy support Add support for changing working dir and extensions in same window/session (#6057) Sort keys in canonical models (#6403) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) ...
wpfleger96
added a commit
that referenced
this pull request
Jan 9, 2026
* main: (89 commits) fix(google): treat signed text as regular content in streaming (#6400) Add frameDomains and baseUriDomains CSP support for MCP Apps (#6399) fix(ci): add missing dependencies to openapi-schema-check job (#6367) feat: http proxy support Add support for changing working dir and extensions in same window/session (#6057) Sort keys in canonical models (#6403) added validation and debug for invalid call tool result (#6368) Update MCP apps tutorial: fix _meta structure and version prereq (#6404) Fixed fonts (#6389) Update confidence levels prompt injection detection to reduce false positive rates (#6390) Add ML-based prompt injection detection (#5623) docs: update custom extensions tutorial (#6388) fix ResultsFormat error when loading old sessions (#6385) docs: add MCP Apps tutorial and documentation updates (#6384) changed z-index to make sure the search highlighter does not appear on modal overlay (#6386) Handling special claude model response in github copilot provider (#6369) fix: prevent duplicate rendering when tool returns both mcp-ui and mcp-apps resources (#6378) fix: update MCP Apps _meta.ui.resourceUri to use nested format (SEP-1865) (#6372) feat(providers): add streaming support for Google Gemini provider (#6191) Blog: edit links in mcp apps post (#6371) ...
fbalicchia
pushed a commit
to fbalicchia/goose
that referenced
this pull request
Jan 13, 2026
…ositive rates (block#6390) Signed-off-by: Dorien Koelemeijer <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
There's been some complaints about high false positive rates for the prompt injection detection feature. This PR adjusts the confidence levels of various detections to reduce this. Another update that will be made is to set the default to 0.8 for the time being until we've adjusted things properly.
Type of Change
AI Assistance
Testing
Local testing using
just run-ui