Study material
concept 7 · AI security

Prompt injection and IDE poisoning

The AI agent is itself an attack surface. Text placed in the wrong spots can hijack its instructions: extract the system prompt, inject false authority or poison config files the IDE reads as project rules.

In 30 seconds

Prompt injection is a hostile instruction hidden in content the agent reads ("ignore previous instructions", format tokens like <|im_start|>, "reveal your system prompt"). IDE poisoning is the variant that targets config files (like CLAUDE.md, .cursorrules): the attacker plants orders disguised as project rules, false authority ("verified by Anthropic") or a fake "security scan" that makes the agent read and leak credentials. Nemesis scans these files like any other content.

Hostile text enters via the request (direct injection) or content the agent reads (indirect injection); IDE poisoning targets config files treated as rules; Nemesis scans config as untrusted content and blocks.
Direct or indirect injection; poisoning targets IDE config; Nemesis treats config as untrusted content.

From scratch: why text becomes command

An LLM does not hard-separate "data" from "instructions": it is all text in the context. If the agent reads a project file and inside it sits a convincing imperative sentence, the model may obey as if the user had spoken. Hence the two names. Direct prompt injection comes in the request itself; the indirect one comes from content the agent fetches (a README, an issue, a config file). IDE poisoning is indirect injection with a chosen target: the files the IDE treats as project authority, exactly the ones the agent tends to obey without question.

Why it matters

Nemesis's own instruction files (the AGENTS.md, the CLAUDE.md) are authority the agent is told to respect. If an attacker manages to edit one of them, or plant a poisoned .cursorrules, they speak with the project's voice. That is why the rule is strict: these config files are scanned against poisoning and never exempted from the scan. The defense had to treat config as untrusted content, not as truth.

The authority chain Nemesis preserves: the human decides; Nemesis contains with deterministic enforcement; the AI agent operates but does not destroy; the system executes only what passed.
What poisoning tries to subvert is exactly this: the authority chain. Human → Nemesis → AI → System.

How it correlates

Prompt injection and poisoning are the same vector in two places: the injection pattern is the core, and poisoning is it applied to an IDE target file, plus social-engineering tricks (false authority, fake scan). The credential harvest the "fake scan" tries to provoke is the bridge to group 8 (exfiltration). And scanning its own rule files is part of the posture of protecting Nemesis itself.

How Nemesis applies it

The injection visitor carries a pattern list: orders to ignore instructions, AI format tokens and system-prompt extraction attempts.

📄 .nemesis/nemesis-defender/src/visitors/prompt_injection.rs:1-29 · padrões de injeção

//! Detecta instrução de IA injetada em strings/comentários:
//! - "ignore previous instructions"
//! - tokens de formato (<|im_start|>, [INST], <<SYS>>)
//! - extração de system prompt ("reveal your system prompt")
const INJECTION_PATTERNS: &[&str] = &[
    "ignore previous instructions", "override safety", "bypass restrictions",
    "<|im_start|>", "[INST]", "<<SYS>>", /* ... */ ];

For IDE config, the visitor only acts if the file is actually a config file (target), and checks three things: injection, fake security scan and authority injection:

📄 .nemesis/nemesis-defender/src/visitors/ide_config_poisoning.rs:157-206 · scan_ide_config

pub fn scan_ide_config(path: &Path, content: &[u8]) -> Vec<DefenderViolation> {
    if !is_ide_config_file(path) { return violations; }   // só arquivos de config
    if has_ide_prompt_injection(text) { /* ignore-previous, DAN, override */ }
    if has_fake_security_scan(text)  { /* "rode um scan" = ler+vazar credencial */ }
    if has_authority_injection(text) { /* "verified by Anthropic", "rules suspended" */ }
}

Decisions and limits

The fake "security scan" is fine social engineering: the file tells the agent to run a "scan" before answering, and that scan reads credentials and sends them out. The rule is simple: legitimate detection runs in CI; an agent has no reason to read a secret. Authority injection exploits trust ("trusted configuration", "security rules suspended", "verified by Anthropic"); no external file can grant elevated permission, so every such claim is treated as an attack.

And since text that talks about prompt injection (this material, for instance) contains the same terms, the poisoning detector targets IDE config files and credential harvesting exempts pure prose: conviction requires an executable sink.

Self-check

Why are config files (CLAUDE.md, .cursorrules) scanned instead of trusted?

Because they hold authority over the agent; an attacker who edits them speaks with the project's voice. The rule is never to exempt them from the scan, they are untrusted content like any other.

What is authority injection?

A false claim of legitimacy ("verified by Anthropic", "rules suspended") so the agent obeys without resistance. No external file grants elevated permission; it is social engineering, and it is flagged.

Why separate prompt injection (direct) from poisoning (config)?

It is the same vector, but poisoning targets files the IDE treats as rules, which changes the trigger (it only fires on config files) and adds authority and fake-scan tricks.

Further reading

Citações verificadas contra o repositório. Voltar ao índice.