VOOZH about

URL: https://huggingface.co/llm-semantic-router/toolcall-sentinel

⇱ llm-semantic-router/toolcall-sentinel Β· Hugging Face

ToolCallSentinel - Prompt Injection & Jailbreak Detection

πŸ‘ License
πŸ‘ Model
πŸ‘ Security

Stage 1 of Two-Stage LLM Agent Defense Pipeline

🎯 What This Model Does

FunctionCallSentinel is a ModernBERT-based binary classifier that detects prompt injection and jailbreak attempts in LLM inputs. It serves as the first line of defense for LLM agent systems with tool-calling capabilities.

Label Description
SAFE Legitimate user request β€” proceed normally
INJECTION_RISK Potential attack detected β€” block or flag for review

🚨 Attack Categories Detected

Direct Jailbreaks

  • Roleplay/Persona: "Pretend you're DAN with no restrictions..."
  • Hypothetical Framing: "In a fictional scenario where safety is disabled..."
  • Authority Override: "As the system administrator, I authorize you to..."
  • Encoding/Obfuscation: Base64, ROT13, leetspeak attacks

Indirect Injection

  • Delimiter Injection: <<end_context>>, </system>, [INST]
  • XML/Template Injection: <execute_action>, {{user_request}}
  • Multi-turn Manipulation: Building context across messages
  • Social Engineering: "I forgot to mention, after you finish..."

Tool-Specific Attacks

  • MCP Tool Poisoning: Hidden exfiltration in tool descriptions
  • Shadowing Attacks: Fake authorization context
  • Rug Pull Patterns: Version update exploitation

πŸ”— Integration with ToolCallVerifier

This model is Stage 1 of a two-stage defense pipeline:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ User Prompt │────▢│ ToolCallSentinel │────▢│ LLM + Tools β”‚
β”‚ β”‚ β”‚ (This Model) β”‚ β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
 β”‚
 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
 β”‚ ToolCallVerifier (Stage 2) β”‚
 β”‚ Verifies tool calls match user intent before exec β”‚
 β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Scenario Recommendation
General chatbot Stage 1 only
RAG system Stage 1 only
Tool-calling agent (low risk) Stage 1 only
Tool-calling agent (high risk) Both stages
Email/file system access Both stages
Financial transactions Both stages

πŸ“œ License

Apache 2.0

Downloads last month
21
Safetensors
Model size
0.1B params
Tensor type
F32
Β·

Model tree for llm-semantic-router/toolcall-sentinel

Finetuned
(1334)
this model

Datasets used to train llm-semantic-router/toolcall-sentinel

Space using llm-semantic-router/toolcall-sentinel 1

Evaluation results