Prompt Injection Scanner

AI crawlers like GPTBot, ClaudeBot, and PerplexityBot read your page differently than a human. They also see what users do not: HTML comments, CSS-hidden text blocks, aria-hidden elements, and invisible unicode characters. This opens a new attack surface: prompt injections designed to manipulate how language models summarize and quote your content – in your name and without your knowledge.

This scanner checks a public URL for known patterns: classic injection phrases (“ignore previous instructions”), instruction-tuning tokens ([INST], <|im_start|>, ### Instruction:), hidden DOM elements with substantial text, and steganographically embedded zero-width unicode characters. Use it as a self-audit after a suspected compromise, or as a routine check if your site exposes comment, guest-post, or external-feed content.

How the Prompt Injection Scanner Works

1. Enter a URL: Provide the public URL you want to check – typically a page that displays user-generated content, comments, guest posts, or imported external feeds.
2. Scan the page: The tool fetches the page server-side (with caching, 2 MB size cap, and a custom User-Agent) and analyzes the source.
3. Review findings: Each hit is shown as a card with severity (High / Medium / Low), category, explanation, and a context snippet.
4. Act: For high-severity findings, inspect the relevant section of the source directly. Common causes: comment spam, compromised plugins, or tampered user-generated content.

Which patterns does it check?

• Prompt phrases: “ignore previous instructions”, “disregard prior”, “forget everything above”, “you are now in developer mode”, “do anything now”, “system prompt:”, “reveal your instructions”, and common variants.
• Instruction tokens: [INST], <<SYS>>, <|im_start|>, <|im_end|>, ### Instruction:, ### System: – formats found in LLM training data that can trigger control-like behavior in some models.
• CSS-hidden elements: display:none, visibility:hidden, opacity:0, font-size:0, text-indent:-9999px, left:-9999px, white text – each with substantial text content. Invisible to humans, still parsed by crawlers.
• aria-hidden and hidden attribute: Blocks marked as hidden from assistive technology but still present in the DOM.
• HTML comments with prompt phrases: <!-- ignore previous instructions ... -->. Invisible to visitors, but many AI crawlers still see them in the source.
• Zero-width unicode: U+200B, U+200C, U+200D, U+FEFF, U+2060, U+00AD, U+180E. Clusters of 8 or more indicate steganographic injection – invisible characters that smuggle instructions between normal text.

Changelog

• First version of the Prompt Injection Scanner released
• Five rule categories: prompt phrases, CSS hiding, aria-hidden/hidden, HTML comments, zero-width unicode
• Three-tier severity ratings (High / Medium / Low) with color-coded output

Background: Why Prompt Injection Is Both an SEO and a Security Issue

Google SGE, Bing Chat, ChatGPT with Browsing, Perplexity, Claude with Web Search – more and more users see your content as an AI-generated summary rather than a classic search result. Whoever can influence that summary, influences how your brand is cited. Prompt injection is the attempt to do exactly that.

Typical entry points

• Open comment systems that allow HTML or certain shortcodes.
• Guest posts from external authors, published without thorough review.
• Compromised plugins or themes that inject invisible blocks into the footer or content areas.
• Imported product descriptions from supplier feeds that contain instruction tokens or zero-width characters.
• Overzealous anti-scraping tools that mix real content with hidden anti-AI instructions.

What to do with a finding

• High: Inspect the affected location in source immediately. If compromised, restore from backup, rotate passwords, update plugins.
• Medium: Review the content. Hidden sections with substantial text are rarely intentional. Sometimes an old CSS artifact that can be removed.
• Low: Often a false positive from legitimate aria-hidden usage (screen-reader-only content, decorative elements). Verify manually that the content is benign.

Frequently Asked Questions

Does the tool analyze JavaScript-rendered content?

No. The scanner fetches the page server-side and analyzes the raw HTML source, the way most AI crawlers see it. Content that only appears after JavaScript execution is not captured. This is deliberate – it mirrors what GPTBot, ClaudeBot, and others actually evaluate.

What if my scan returns no findings?

That is the normal case and a good sign. The scanner only reports concrete hits. A clean page produces no findings.

Are all aria-hidden elements flagged?

No. Very short content (under 40 characters) and common decorative elements like <svg>, <path>, or icon spans are filtered out to avoid false positives. Only substantial text blocks are reported.

Can false positives occur?

Yes. White text on a dark background is currently flagged regardless of the actual background, because the scanner only evaluates inline-style attributes and has no full CSS cascade context. Up to 7 zero-width characters are tolerated on purpose, since they legitimately appear in emoji and BOM markers.

What do the severity levels mean?

High: a direct prompt-injection phrase or instruction token was found – most likely not an accident. Medium: hidden sections with substantial text whose intent is unclear. Low: possibly legitimate, but worth a quick look.

How is this different from the AI Bot Checker?

The AI Bot Checker tests whether AI crawlers are allowed to index your page (robots.txt, noai meta). The Prompt Injection Scanner checks what those crawlers actually see – especially the parts invisible to human visitors. The two tools complement each other.

Can I extend the rules?

For developers, the architecture is designed to be extensible. Regular users don’t need to do anything – the bundled rules cover the most common attack patterns.