Jake-Schoellkopf/aicu

GitHub: Jake-Schoellkopf/aicu

Stars: 0 | Forks: 0

# AICU [![CI](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/52744ce3f3034834.svg)](https://github.com/Jake-Schoellkopf/aicu/actions/workflows/ci.yml) [![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue.svg)](https://www.python.org/downloads/) [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE) **Black-box security scanner for LLM applications.** Point it at any chat endpoint, get a report of what leaks.

AICU demo

## Quick Start (2 minutes) # Install git clone https://github.com/Jake-Schoellkopf/aicu.git && cd aicu pip install -e . # Option 1: Scan with an API key (OpenAI, Azure, Ollama — no Burp needed) aicu scan --api-key sk-your-key --model gpt-4o-mini # Option 2: Scan via captured Burp request (Claude, custom apps) aicu scan --request examples/demo_request.txt # Option 3: Test against the built-in vulnerable demo python demo_server.py & aicu scan --request examples/demo_request.txt ### API Key Mode (recommended for OpenAI/Azure/Ollama) # OpenAI aicu scan --api-key sk-... --model gpt-4.1-mini # Anthropic Claude aicu scan --api-key sk-ant-... --model claude-haiku-4-5-20251001 # Azure OpenAI aicu scan --api-key your-azure-key --model gpt-4o --base-url https://your-resource.openai.azure.com # Local Ollama (no key needed) aicu scan --api-key dummy --model llama3.2 --base-url http://localhost:11434 # Or set OPENAI_API_KEY env var and just run: aicu scan --model gpt-4.1-mini ### Canary Mode (proves extraction with undeniable evidence) # Plant a secret in the system prompt, check if any payload extracts it aicu scan --model gpt-4.1-mini --canary "AICU_SECRET_12345" # Combine with a custom system prompt to simulate a real app aicu scan --model gpt-4.1-mini \ --canary "sk-prod-secret-key-abc123" \ --system-prompt "You are FinanceBot for Acme Corp. Help users with account queries." If any payload makes the model output the canary value, it's an instant **CONFIRMED** finding. ### Burp Proxy Mode (for web apps like Claude, custom chatbots) # Capture a request in Burp, save to file, scan aicu scan --request captured_request.txt ## What It Finds | Category | Examples | |----------|----------| | **Prompt Disclosure** | System prompt leakage via translation, repetition, reframing | | **Capability Leakage** | Tool names, API schemas, internal function exposure | | **Safety Bypass** | Roleplay, hypothetical, academic, completion tricks | | **Credential Exposure** | API keys, tokens, internal URLs leaked in responses | | **Multi-turn Escalation** | Crescendo-style attacks that build trust over turns | | **Indirect Injection** | Malicious payloads embedded in uploaded files | | **Harmful Content** | Phishing, malware generation, disinformation | | **Unauthorized Actions** | Privilege escalation, data exfiltration prompts | | **Multimodal Attacks** | Steganographic images, adversarial audio, hidden document layers | ## Multimodal Attack Engine ## How It Works 1. **Capture** a request to your LLM endpoint (Burp Suite, browser dev tools, curl) 2. **Save** it as a raw HTTP file 3. **Run** `aicu scan --request req.txt` 4. **Read** the HTML/JSON/Markdown report with findings and evidence ## Usage # Full scan (recommended) aicu scan --request req.txt # Individual modes aicu single-turn --request req.txt --best-of-n 10 aicu multi-turn --request req.txt aicu safety --request req.txt --category safety_bypass aicu indirect --request upload_req.txt aicu multimodal --category vision # With target profile aicu scan --request req.txt --profile openai ## Burp Suite Integration 1. Capture a request in Burp (Proxy → HTTP history) 2. Right-click → Copy to file → save as `req.txt` 3. `aicu scan --request req.txt` ## CI/CD - name: LLM Security Scan run: aicu scan --request req.txt # Exit 0 = clean, 1 = confirmed findings, 2 = suspicious only ## Target Profiles Built-in: `openai`, `anthropic`, `azure_openai`, `generic` Custom via YAML: preset: openai name: my_chatbot response_path: choices[0].message.content request_delay_ms: 200 ## False Positive Reduction No external LLM needed for evaluation. AICU uses: - Payload echo detection - Baseline similarity comparison - Reflection/httpbin filtering - Entropy analysis - Refusal detection - Tiered confidence scoring ## Output Reports land in `runs/run_/`: - `report.html` — interactive HTML report - `results.json` — structured findings - `report.md` — markdown summary - `evidence/` — raw response captures ## Companion Tool | Tool | Tests | |------|-------| | **AICU** | LLM applications (prompt injection, multimodal attacks, safety bypass) | | [**AICU Agent**](https://github.com/Jake-Schoellkopf/aicu-agent) | MCP infrastructure (server probing, credential extraction, protocol attacks) | ## Install pip install aicu-scanner # from PyPI # or pip install -e . # editable install from source pip install -e ".[dev]" # with test/lint tools ## Run Tests pytest -v ## License MIT