From 66a93754e8306af80bd70f5fb0a6cd0447fdf6e8 Mon Sep 17 00:00:00 2001
From: FailSafe Researcher <joshua@getfailsafe.com>
Date: Tue, 9 Jun 2026 20:23:21 -0700
Subject: [PATCH] fix: sanitize autonomous task metadata before LLM system
 prompt injection

Autonomous task name, description, and cron fields are interpolated
directly into the LLM system prompt via _build_autonomous_task_prompt()
without sanitization. An attacker who can create autonomous tasks (e.g.
via the local dev API exposed without auth) can inject arbitrary
instructions into the system prompt.

Add a _sanitize_task_field() helper that strips ASCII control
characters and common prompt-injection markers before interpolation,
and wraps values in XML-style delimiters to reduce injection risk.

Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
---
 intentkit/core/prompt.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/intentkit/core/prompt.py b/intentkit/core/prompt.py
index bfe10303..a1c1b876 100644
--- a/intentkit/core/prompt.py
+++ b/intentkit/core/prompt.py
@@ -294,15 +294,30 @@ def _build_autonomous_task_prompt(agent: Agent, context: AgentContext) -> str:
         # Fallback if task not found
         return f"You are running an autonomous task. The task id is {task_id}. "
 
+    def _sanitize_task_field(value: str) -> str:
+        """Strip characters that could be used for prompt injection in task metadata fields."""
+        import re
+        # Remove ASCII control characters (newlines, tabs, etc.)
+        value = re.sub(r'[\x00-\x1f\x7f]', ' ', value)
+        # Remove common prompt-injection markers
+        value = re.sub(
+            r'(?i)(system:|###|<\|system\|>|\[INST\]|OVERRIDE:|ignore\s+previous)',
+            '[removed]',
+            value,
+        )
+        return value.strip()
+
     # Build detailed task info - always include task_id
     if autonomous_task.name:
-        task_info = f"You are running an autonomous task '{autonomous_task.name}' (ID: {task_id})"
+        safe_name = _sanitize_task_field(autonomous_task.name)
+        task_info = f"You are running an autonomous task '<task_name>{safe_name}</task_name>' (ID: {task_id})"
     else:
         task_info = f"You are running an autonomous task (ID: {task_id})"
 
-    # Add description if available
+    # Add description if available — sanitize before injection into system prompt
     if autonomous_task.description:
-        task_info += f": {autonomous_task.description}"
+        safe_desc = _sanitize_task_field(autonomous_task.description)
+        task_info += f": <task_description>{safe_desc}</task_description>"
 
     # Add schedule info (minutes field is deprecated)
     if autonomous_task.cron: