Capability · Prompt injection
Scan the files that
tell your agent what to do
Coding agents follow instructions inside the files they read. The guard statically scans CLAUDE.md, .cursorrules, SKILL.md and similar instruction files for injection and secret-bait — before any of it steers the agent.
❯ cdxai scan-instructions scanning instruction files… ✓ ./CLAUDE.md clean ✓ ./.cursorrules clean ✗ ./vendor/SKILL.md 2 findings [HIGH] override-instructions “ignore the prior rules and…” [HIGH] conceal-from-user “…do not mention this to the user” → 2 console issues opened matched text stays on device
The risk
The agent trusts its instruction files
Instruction files ship in repos, get pasted from the web, and travel with templates. To the agent they are authoritative — which makes them an ideal place to hide an attack.
Poisoned instruction files
A repo's instruction file can quietly tell the agent to ignore prior rules, take an unsafe action, or hide what it did from the developer.
Secret-bait
Instructions can coax the agent into reading credential files or environment variables and pulling them into context — a setup for exfiltration.
Travels with the repo
These files arrive with cloned repos, shared templates and pasted snippets — long before a human reviews a single line.
Mechanics
How the scan works
Find instruction files
The guard locates the instruction files agents honour — CLAUDE.md, .cursorrules, SKILL.md and their equivalents — across the workspace.
Static scan
Each file is statically analysed for injection markers: override-instructions, conceal-from-user, and exfiltration directives, plus secret-bait patterns.
De-obfuscate
Zero-width and bidi unicode is stripped and encoded blobs decoded first — so an attack can't hide between visible characters.
Surface a finding
Matches become severity-scored Console issues with the exact rule and location — caught early, before the instruction ever runs.
Inside the capability
What the scan catches
The same injection intelligence the ingress axis uses at runtime, applied statically to the files agents read first.
Override-instructions
Text that tells the agent to ignore prior or system instructions — the classic injection opener.
Conceal-from-user
Text instructing the agent to hide an action or its output from the developer it works for.
Exfiltration directives
Text steering the agent to read and send out secrets, credentials or source.
Secret-bait
Prompts engineered to make the agent open credential files or env vars and pull them into context.
Obfuscation-aware
Invisible unicode and encoded payloads are normalized before matching, so hidden instructions still surface.
Precise locations
Every finding names the file, the rule and where it matched — fast to verify, fast to remove.
Outcomes
What you get
- Poisoned instruction files caught before they steer an agent
- Coverage of CLAUDE.md, .cursorrules, SKILL.md and similar files
- Detection of override, conceal and exfiltration directives
- Obfuscation-resistant matching on invisible and encoded text
- Severity-scored Console issues with exact file and rule
- Shared intelligence with the runtime ingress axis
Ready to see your graph?
Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.
Book a Demo