This project provides a vulnerable chatbot powered by a Langchain ReAct agent, designed for educational purposes. It allows security researchers and developers to experiment with and understand prompt injection attacks, specifically Thought/Action/Observation injection, within LLM-powered applications.

How It Works

The agent simulates a chatbot environment using Langchain and a ReAct agent. It leverages OpenAI's GPT-4 or GPT-4-Turbo models, which are required for reliable tool usage. The core functionality revolves around demonstrating prompt injection techniques to manipulate the agent's behavior, such as hijacking its thought process or executing unintended actions like SQL injection.

Quick Start & Requirements

• Installation: pipenv install after setting up a virtual environment (python3 -m venv env, source env/bin/activate, pip install -r requirements.txt).
• Prerequisites: OpenAI API key (GPT-4 or GPT-4-Turbo required), Python 3.x.
• Running: streamlit run main.py.
• Docker: Build with docker build -t dvla . and run with docker run --env-file env.list -p 8501:8501 dvla.
• Setup: Requires API key setup in .env.

Highlighted Details

• Focuses on Thought/Action/Observation prompt injection vectors.
• Demonstrates payloads for retrieving unauthorized data and performing SQL injection.
• Adaptable for use with other LLMs, with a call for contributions.

Maintenance & Community

Contributions are welcome via pull requests and issues. The project encourages adaptation for open-source LLMs. Contact via GitHub issues.

Licensing & Compatibility

Released under the Apache 2.0 license. Compatible with commercial use.

Limitations & Caveats

GPT-3.5-Turbo is not reliably supported due to tool usage limitations. The project is an educational tool and may not represent production-ready security hardening.