ZeroLeaks is an autonomous AI security scanner designed to test Large Language Model (LLM) systems for prompt injection and data extraction vulnerabilities. It targets engineers, researchers, and power users by simulating sophisticated, real-world attacks to proactively identify weaknesses before malicious actors can exploit them, thereby protecting proprietary instructions and sensitive configurations within system prompts.

How It Works

The project employs a multi-agent architecture, featuring specialized roles like Strategist, Attacker, Evaluator, and Orchestrator. It systematically explores attack vectors using a "Tree of Attacks" (TAP) approach, incorporating modern techniques such as Crescendo, Many-Shot, Chain-of-Thought Hijacking, and Policy Puppetry. A dual-agent Inspector, following the TombRaider Pattern, is used for defense fingerprinting and weakness exploitation, offering a novel method for understanding and bypassing security measures.

Quick Start & Requirements

Installation is straightforward via bun add zeroleaks or npm install zeroleaks. A primary requirement is an OpenRouter API key, which must be set as the OPENROUTER_API_KEY environment variable. The tech stack includes Bun runtime and TypeScript. Code examples for programmatic use and CLI commands for scanning prompts directly or from files are provided in the documentation.

Highlighted Details

• Features a multi-agent system for complex attack simulations.
• Implements a Tree of Attacks (TAP) for systematic vulnerability discovery.
• Supports advanced attack categories including Crescendo, Many-Shot, Siren, and Echo Chamber.
• Includes a TombRaider Pattern for defense fingerprinting and exploitation.
• Allows flexible model configuration for attacker, target, and evaluator roles.
• Offers dual scan modes for both system prompt extraction and prompt injection testing.

Maintenance & Community

The README indicates that contributions are welcome, with a request to open an issue first for discussion. Specific details regarding core maintainers, sponsorships, or dedicated community channels (like Discord or Slack) are not provided.

Licensing & Compatibility

The software is released under the FSL-1.1-Apache-2.0 (Functional Source License). It is free to use for any non-competing purpose and is scheduled to convert to the Apache 2.0 license on January 21, 2028. Enterprise features, custom quotas, SLAs, and dedicated support are available by contacting the developers.

Limitations & Caveats

The open-source version requires self-hosting and management of API keys. CI/CD integration is noted as "Coming soon" for the hosted version, suggesting it may not be readily available for the open-source implementation. The FSL license has a future conversion date, which may require consideration for long-term commercial adoption strategies.